diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 601 |
1 files changed, 601 insertions, 0 deletions
diff --git a/README b/README new file mode 100644 index 0000000000000..20fd84a13e44f --- /dev/null +++ b/README @@ -0,0 +1,601 @@ +BIND 9 + + BIND version 9 is a major rewrite of nearly all aspects of the + underlying BIND architecture. Some of the important features of + BIND 9 are: + + - DNS Security + DNSSEC (signed zones) + TSIG (signed DNS requests) + + - IP version 6 + Answers DNS queries on IPv6 sockets + IPv6 resource records (AAAA) + Experimental IPv6 Resolver Library + + - DNS Protocol Enhancements + IXFR, DDNS, Notify, EDNS0 + Improved standards conformance + + - Views + One server process can provide multiple "views" of + the DNS namespace, e.g. an "inside" view to certain + clients, and an "outside" view to others. + + - Multiprocessor Support + + - Improved Portability Architecture + + + BIND version 9 development has been underwritten by the following + organizations: + + Sun Microsystems, Inc. + Hewlett Packard + Compaq Computer Corporation + IBM + Process Software Corporation + Silicon Graphics, Inc. + Network Associates, Inc. + U.S. Defense Information Systems Agency + USENIX Association + Stichting NLnet - NLnet Foundation + Nominum, Inc. + + +BIND 9.4.2 + + BIND 9.4.2 is a maintenance release, containing fixes for + a number of bugs in 9.4.1. + + Warning: If you installed BIND 9.4.2rc1 then any applications + linked against this release candidate will need to be rebuilt. + +BIND 9.4.1 + + BIND 9.4.1 is a security release, containing a fix for + a security bugs in 9.4.0. + +BIND 9.4.0 + + BIND 9.4.0 has a number of new features over 9.3, + including: + + Implemented "additional section caching" (or "acache"), an + internal cache framework for additional section content to + improve response performance. Several configuration options + were provided to control the behavior. + + New notify type 'master-only'. Enable notify for master + zones only. + + Accept 'notify-source' style syntax for query-source. + + rndc now allows addresses to be set in the server clauses. + + New option "allow-query-cache". This lets allow-query be + used to specify the default zone access level rather than + having to have every zone override the global value. + allow-query-cache can be set at both the options and view + levels. If allow-query-cache is not set then allow-recursion + is used if set, otherwise allow-query is used if set, otherwise + the default (localhost; localnets;) is used. + + rndc: the source address can now be specified. + + ixfr-from-differences now takes master and slave in addition + to yes and no at the options and view levels. + + Allow the journal's name to be changed via named.conf. + + 'rndc notify zone [class [view]]' resend the NOTIFY messages + for the specified zone. + + 'dig +trace' now randomly selects the next servers to try. + Report if there is a bad delegation. + + Improve check-names error messages. + + Make public the function to read a key file, dst_key_read_public(). + + dig now returns the byte count for axfr/ixfr. + + allow-update is now settable at the options / view level. + + named-checkconf now checks the logging configuration. + + host now can turn on memory debugging flags with '-m'. + + Don't send notify messages to self. + + Perform sanity checks on NS records which refer to 'in zone' names. + + New zone option "notify-delay". Specify a minimum delay + between sets of NOTIFY messages. + + Extend adjusting TTL warning messages. + + Named and named-checkzone can now both check for non-terminal + wildcard records. + + "rndc freeze/thaw" now freezes/thaws all zones. + + named-checkconf now check acls to verify that they only + refer to existing acls. + + The server syntax has been extended to support a range of + servers. + + Report differences between hints and real NS rrset and + associated address records. + + Preserve the case of domain names in rdata during zone + transfers. + + Restructured the data locking framework using architecture + dependent atomic operations (when available), improving + response performance on multi-processor machines significantly. + x86, x86_64, alpha, powerpc, and mips are currently supported. + + UNIX domain controls are now supported. + + Add support for additional zone file formats for improving + loading performance. The masterfile-format option in + named.conf can be used to specify a non-default format. A + separate command named-compilezone was provided to generate + zone files in the new format. Additionally, the -I and -O + options for dnssec-signzone specify the input and output + formats. + + dnssec-signzone can now randomize signature end times + (dnssec-signzone -j jitter). + + Add support for CH A record. + + Add additional zone data consistancy checks. named-checkzone + has extended checking of NS, MX and SRV record and the hosts + they reference. named has extended post zone load checks. + New zone options: check-mx and integrity-check. + + edns-udp-size can now be overridden on a per server basis. + + dig can now specify the EDNS version when making a query. + + Added framework for handling multiple EDNS versions. + + Additional memory debugging support to track size and mctx + arguments. + + Detect duplicates of UDP queries we are recursing on and + drop them. New stats category "duplicates". + + Memory management. "USE INTERNAL MALLOC" is now runtime selectable. + + The lame cache is now done on a <qname,qclass,qtype> basis + as some servers only appear to be lame for certain query + types. + + Limit the number of recursive clients that can be waiting + for a single query (<qname,qtype,qclass>) to resolve. New + options clients-per-query and max-clients-per-query. + + dig: report the number of extra bytes still left in the + packet after processing all the records. + + Support for IPSECKEY rdata type. + + Raise the UDP receive buffer size to 32k if it is less than 32k. + + x86 and x86_64 now have separate atomic locking implementations. + + named-checkconf now validates update-policy entries. + + Attempt to make the amount of work performed in a iteration + self tuning. The covers nodes clean from the cache per + iteration, nodes written to disk when rewriting a master + file and nodes destroyed per iteration when destroying a + zone or a cache. + + ISC string copy API. + + Automatic empty zone creation for D.F.IP6.ARPA and friends. + Note: RFC 1918 zones are not yet covered by this but are + likely to be in a future release. + + New options: empty-server, empty-contact, empty-zones-enable + and disable-empty-zone. + + dig now has a '-q queryname' and '+showsearch' options. + + host/nslookup now continue (default)/fail on SERVFAIL. + + dig now warns if 'RA' is not set in the answer when 'RD' + was set in the query. host/nslookup skip servers that fail + to set 'RA' when 'RD' is set unless a server is explicitly + set. + + Integrate contributed DLZ code into named. + + Integrate contributed IDN code from JPNIC. + + Validate pending NS RRsets, in the authority section, prior + to returning them if it can be done without requiring DNSKEYs + to be fetched. + + It is now possible to configure named to accept expired + RRSIGs. Default "dnssec-accept-expired no;". Setting + "dnssec-accept-expired yes;" leaves named vulnerable to + replay attacks. + + Additional memory leakage checks. + + The maximum EDNS UDP response named will send can now be + set in named.conf (max-udp-size). This is independent of + the advertised receive buffer (edns-udp-size). + + Named now falls back to advertising EDNS with a 512 byte + receive buffer if the initial EDNS queries fail. + + Control the zeroing of the negative response TTL to a soa + query. Defaults "zero-no-soa-ttl yes;" and + "zero-no-soa-ttl-cache no;". + + Separate out MX and SRV to CNAME checks. + + dig/nslookup/host: warn about missing "QR". + + TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and + HMACSHA512 support. + + dnssec-signzone: output the SOA record as the first record + in the signed zone. + + Two new update policies. "selfsub" and "selfwild". + + dig, nslookup and host now advertise a 4096 byte EDNS UDP + buffer size by default. + + Report when a zone is removed. + + DS/DLV SHA256 digest algorithm support. + + Implement "rrset-order fixed". + + Check the KSK flag when updating a secure dynamic zone. + New zone option "update-check-ksk yes;". + + It is now possible to explicitly enable DNSSEC validation. + default dnssec-validation no; to be changed to yes in 9.5.0. + + It is now possible to enable/disable DNSSEC validation + from rndc. This is useful for the mobile hosts where the + current connection point breaks DNSSEC (firewall/proxy). + + rndc validation newstate [view] + + dnssec-signzone can now update the SOA record of the signed + zone, either as an increment or as the system time(). + + Statistics about acache now recorded and sent to log. + + libbind: corresponds to that from BIND 8.4.7. + +BIND 9.3.0 + + BIND 9.3.0 has a number of new features over 9.2, + including: + + DNSSEC is now DS based (RFC 3658). + See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. + + DNSSEC lookaside validation. + + check-names is now implemented. + rrset-order in more complete. + + IPv4/IPv6 transition support, dual-stack-servers. + + IXFR deltas can now be generated when loading master files, + ixfr-from-differences. + + It is now possible to specify the size of a journal, max-journal-size. + + It is now possible to define a named set of master servers to be + used in masters clause, masters. + + The advertised EDNS UDP size can now be set, edns-udp-size. + + allow-v6-synthesis has been obsoleted. + + NOTE: + * Zones containing MD and MF will now be rejected. + * dig, nslookup name. now report "Not Implemented" as + NOTIMP rather than NOTIMPL. This will have impact on scripts + that are looking for NOTIMPL. + + libbind: corresponds to that from BIND 8.4.5. + +BIND 9.2.0 + + BIND 9.2.0 has a number of new features over 9.1, + including: + + - The size of the cache can now be limited using the + "max-cache-size" option. + + - The server can now automatically convert RFC1886-style + recursive lookup requests into RFC2874-style lookups, + when enabled using the new option "allow-v6-synthesis". + This allows stub resolvers that support AAAA records + but not A6 record chains or binary labels to perform + lookups in domains that make use of these IPv6 DNS + features. + + - Performance has been improved. + + - The man pages now use the more portable "man" macros + rather than the "mandoc" macros, and are installed + by "make install". + + - The named.conf parser has been completely rewritten. + It now supports "include" directives in more + places such as inside "view" statements, and it no + longer has any reserved words. + + - The "rndc status" command is now implemented. + + - rndc can now be configured automatically. + + - A BIND 8 compatible stub resolver library is now + included in lib/bind. + + - OpenSSL has been removed from the distribution. This + means that to use DNSSEC, OpenSSL must be installed and + the --with-openssl option must be supplied to configure. + This does not apply to the use of TSIG, which does not + require OpenSSL. + + - The source distribution now builds on Windows NT/2000. + See win32utils/readme1.txt and win32utils/win32-build.txt + for details. + + This distribution also includes a new lightweight stub + resolver library and associated resolver daemon that fully + support forward and reverse lookups of both IPv4 and IPv6 + addresses. This library is considered experimental and + is not a complete replacement for the BIND 8 resolver library. + Applications that use the BIND 8 res_* functions to perform + DNS lookups or dynamic updates still need to be linked against + the BIND 8 libraries. For DNS lookups, they can also use the + new "getrrsetbyname()" API. + + BIND 9.2 is capable of acting as an authoritative server + for DNSSEC secured zones. This functionality is believed to + be stable and complete except for lacking support for + verifications involving wildcard records in secure zones. + + When acting as a caching server, BIND 9.2 can be configured + to perform DNSSEC secure resolution on behalf of its clients. + This part of the DNSSEC implementation is still considered + experimental. For detailed information about the state of the + DNSSEC implementation, see the file doc/misc/dnssec. + + There are a few known bugs: + + On some systems, IPv6 and IPv4 sockets interact in + unexpected ways. For details, see doc/misc/ipv6. + To reduce the impact of these problems, the server + no longer listens for requests on IPv6 addresses + by default. If you need to accept DNS queries over + IPv6, you must specify "listen-on-v6 { any; };" + in the named.conf options statement. + + FreeBSD prior to 4.2 (and 4.2 if running as non-root) + and OpenBSD prior to 2.8 log messages like + "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". + This is due to a bug in "/dev/random" and impacts the + server's DNSSEC support. + + OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and + OS X 10.2 (Darwin 6.0) reports errors like + "fcntl(3, F_SETFL, 4): Operation not supported by device". + This is due to a bug in "/dev/random" and impacts the + server's DNSSEC support. + + --with-libtool does not work on AIX. + + --with-libtool does not work on SunOS 4. configure + requires "printf" which is not available. + + A bug in the Windows 2000 DNS server can cause zone transfers + from a BIND 9 server to a W2K server to fail. For details, + see the "Zone Transfers" section in doc/misc/migration. + + For a detailed list of user-visible changes from + previous releases, see the CHANGES file. + + +Building + + BIND 9 currently requires a UNIX system with an ANSI C compiler, + basic POSIX support, and a 64 bit integer type. + + We've had successful builds and tests on the following systems: + + COMPAQ Tru64 UNIX 5.1B + FreeBSD 4.10, 5.2.1, 6.2 + HP-UX 11.11 + NetBSD 1.5 + Slackware Linux 8.1 + Solaris 8, 9, 9 (x86) + Windows NT/2000/XP/2003 + + Additionally, we have unverified reports of success building + previous versions of BIND 9 from users of the following systems: + + AIX 5L + SuSE Linux 7.0 + Slackware Linux 7.x, 8.0 + Red Hat Linux 7.1 + Debian GNU/Linux 2.2 and 3.0 + Mandrake 8.1 + OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8 + UnixWare 7.1.1 + HP-UX 10.20 + BSD/OS 4.2 + Mac OS X 10.1, 10.3.8 + + To build, just + + ./configure + make + + Do not use a parallel "make". + + Several environment variables that can be set before running + configure will affect compilation: + + CC + The C compiler to use. configure tries to figure + out the right one for supported systems. + + CFLAGS + C compiler flags. Defaults to include -g and/or -O2 + as supported by the compiler. + + STD_CINCLUDES + System header file directories. Can be used to specify + where add-on thread or IPv6 support is, for example. + Defaults to empty string. + + STD_CDEFINES + Any additional preprocessor symbols you want defined. + Defaults to empty string. + + Possible settings: + Change the default syslog facility of named/lwresd. + -DISC_FACILITY=LOG_LOCAL0 + Enable DNSSEC signature chasing support in dig. + -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and + -DDIG_SIGCHASE_BU=1) + Disable dropping queries from particular well known ports. + -DNS_CLIENT_DROPPORT=0 + Disable support for "rrset-order fixed". + -DDNS_RDATASET_FIXED=0 + + LDFLAGS + Linker flags. Defaults to empty string. + + The following need to be set when cross compiling. + + BUILD_CC + The native C compiler. + BUILD_CFLAGS (optional) + BUILD_CPPFLAGS (optional) + Possible Settings: + -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>) + BUILD_LDFLAGS (optional) + BUILD_LIBS (optional) + + To build shared libraries, specify "--with-libtool" on the + configure command line. + + For the server to support DNSSEC, you need to build it + with crypto support. You must have OpenSSL 0.9.5a + or newer installed and specify "--with-openssl" on the + configure command line. If OpenSSL is installed under + a nonstandard prefix, you can tell configure where to + look for it using "--with-openssl=/prefix". + + To build libbind (the BIND 8 resolver library), specify + "--enable-libbind" on the configure command line. + + On some platforms, BIND 9 can be built with multithreading + support, allowing it to take advantage of multiple CPUs. + You can specify whether to build a multithreaded BIND 9 + by specifying "--enable-threads" or "--disable-threads" + on the configure command line. The default is operating + system dependent. + + If your operating system has integrated support for IPv6, it + will be used automatically. If you have installed KAME IPv6 + separately, use "--with-kame[=PATH]" to specify its location. + + "make install" will install "named" and the various BIND 9 libraries. + By default, installation is into /usr/local, but this can be changed + with the "--prefix" option when running "configure". + + You may specify the option "--sysconfdir" to set the directory + where configuration files like "named.conf" go by default, + and "--localstatedir" to set the default parent directory + of "run/named.pid". For backwards compatibility with BIND 8, + --sysconfdir defaults to "/etc" and --localstatedir defaults to + "/var" if no --prefix option is given. If there is a --prefix + option, sysconfdir defaults to "$prefix/etc" and localstatedir + defaults to "$prefix/var". + + To see additional configure options, run "configure --help". + Note that the help message does not reflect the BIND 8 + compatibility defaults for sysconfdir and localstatedir. + + If you're planning on making changes to the BIND 9 source, you + should also "make depend". If you're using Emacs, you might find + "make tags" helpful. + + If you need to re-run configure please run "make distclean" first. + This will ensure that all the option changes take. + + Building with gcc is not supported, unless gcc is the vendor's usual + compiler (e.g. the various BSD systems, Linux). + + Known compiler issues: + * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. + * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. + * gcc-3.3.5 powerpc generates incorrect code at -02. + * Irix, MipsPRO 7.4.1m is known to cause problems. + + A limited test suite can be run with "make test". Many of + the tests require you to configure a set of virtual IP addresses + on your system, and some require Perl; see bin/tests/system/README + for details. + + +Documentation + + The BIND 9 Administrator Reference Manual is included with the + source distribution in DocBook XML and HTML format, in the + doc/arm directory. + + Some of the programs in the BIND 9 distribution have man pages + in their directories. In particular, the command line + options of "named" are documented in /bin/named/named.8. + There is now also a set of man pages for the lwres library. + + If you are upgrading from BIND 8, please read the migration + notes in doc/misc/migration. If you are upgrading from + BIND 4, read doc/misc/migration-4to9. + + Frequently asked questions and their answers can be found in + FAQ. + + +Bug Reports and Mailing Lists + + Bugs reports should be sent to + + bind9-bugs@isc.org + + To join the BIND Users mailing list, send mail to + + bind-users-request@isc.org + + archives of which can be found via + + http://www.isc.org/ops/lists/ + + If you're planning on making changes to the BIND 9 source + code, you might want to join the BIND Forum as a Worker. + This gives you access to the bind-workers@isc.org mailing + list and pre-release access to the code. + + http://www.isc.org/sw/guild/bf/ |