|
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture.
BIND 9.4 is a previous major release. It is still supported, and bug fixes and security fixes will be made available as minor releases. No new features will be added. Some of the important features of BIND 9 are:
|
[ Downloads ]
[ Notes ] [ Documentation ] [ Building BIND ] [ Release Notes ] [ Bug Reports / Mail Lists ] [ Upcoming Fixes ] |
All ISC software is signed with our OpenPGP Key You can download ISC software either from our master site, or at a number of mirror sites across the globe. | ||||
|
BIND 9.4 has a number of new features over 9.3, including: Implemented "additional section caching" (or "acache"), an internal cache framework for additional section content to improve response performance. Several configuration options were provided to control the behavior. New notify type 'master-only'. Enable notify for master zones only. Accept 'notify-source' style syntax for query-source. rndc now allows addresses to be set in the server clauses. New option "allow-query-cache". This lets allow-query be used to specify the default zone access level rather than having to have every zone override the global value. allow-query-cache can be set at both the options and view levels. If allow-query-cache is not set allow-query applies. rndc: the source address can now be specified. ixfr-from-differences now takes master and slave in addition to yes and no at the options and view levels. Allow the journal's name to be changed via named.conf. 'rndc notify zone [class [view]]' resend the NOTIFY messages for the specified zone. 'dig +trace' now randomly selects the next servers to try. Report if there is a bad delegation. Improve check-names error messages. Make public the function to read a key file, dst_key_read_public(). dig now returns the byte count for axfr/ixfr. allow-update is now settable at the options / view level. named-checkconf now checks the logging configuration. host now can turn on memory debugging flags with '-m'. Don't send notify messages to self. Perform sanity checks on NS records which refer to 'in zone' names. New zone option "notify-delay". Specify a minimum delay between sets of NOTIFY messages. Extend adjusting TTL warning messages. Named and named-checkzone can now both check for non-terminal wildcard records. "rndc freeze/thaw" now freezes/thaws all zones. named-checkconf now check acls to verify that they only refer to existing acls. The server syntax has been extended to support a range of servers. Report differences between hints and real NS rrset and associated address records. Preserve the case of domain names in rdata during zone transfers. Restructured the data locking framework using architecture dependent atomic operations (when available), improving response performance on multi-processor machines significantly. x86, x86_64, alpha, powerpc, and mips are currently supported. UNIX domain controls are now supported. Add support for additional zone file formats for improving loading performance. The masterfile-format option in named.conf can be used to specify a non-default format. A separate command named-compilezone was provided to generate zone files in the new format. Additionally, the -I and -O options for dnssec-signzone specify the input and output formats. dnssec-signzone can now randomize signature end times (dnssec-signzone -j jitter). Add support for CH A record. Add additional zone data constancy checks. named-checkzone has extended checking of NS, MX and SRV record and the hosts they reference. named has extended post zone load checks. New zone options: check-mx and integrity-check. edns-udp-size can now be overridden on a per server basis. dig can now specify the EDNS version when making a query. Added framework for handling multiple EDNS versions. Additional memory debugging support to track size and mctx arguments. Detect duplicates of UDP queries we are recursing on and drop them. New stats category "duplicates". Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
The lame cache is now done on a
Limit the number of recursive clients that can be waiting
for a single query (
dig: report the number of extra bytes still left in the
packet after processing all the records.
Support for IPSECKEY rdata type.
Raise the UDP recieve buffer size to 32k if it is less than 32k.
x86 and x86_64 now have separate atomic locking implementations.
named-checkconf now validates update-policy entries.
Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.
ISC string copy API.
Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.
New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.
dig now has a '-q queryname' and '+showsearch' options.
host/nslookup now continue (default)/fail on SERVFAIL.
dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.
Integrate contributed DLZ code into named.
Integrate contributed IDN code from JPNIC.
Validate pending NS RRsets, in the authority section, prior
to returning them if it can be done without requiring DNSKEYs
to be fetched.
It is now possible to configure named to accept expired
RRSIGs. Default "dnssec-accept-expired no;". Setting
"dnssec-accept-expired yes;" leaves named vulnerable to
replay attacks.
Addition memory leakage checks.
The maximum EDNS UDP response named will send can now be
set in named.conf (max-udp-size). This is independent of
the advertised receive buffer (edns-udp-size).
Named now falls back to advertising EDNS with a 512 byte
receive buffer if the initial EDNS queries fail.
Control the zeroing of the negative response TTL to a soa
query. Defaults "zero-no-soa-ttl yes;" and
"zero-no-soa-ttl-cache no;".
Seperate out MX and SRV to CNAME checks.
dig/nslookup/host: warn about missing "QR".
TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support.
dnssec-signzone: output the SOA record as the first record
in the signed zone.
Two new update policies. "selfsub" and "selfwild".
dig, nslookup and host now advertise a 4096 byte EDNS UDP
buffer size by default.
Report when a zone is removed.
DS/DLV SHA256 digest algorithm support.
Implement "rrset-order fixed".
Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;".
It is now possible to explicitly enable DNSSEC validation.
default dnssec-validation no; to be changed to yes in 9.5.0.
It is now posssible to enable/disable DNSSEC validation
from rndc. This is useful for the mobile hosts where the
current connection point breaks DNSSEC (firewall/proxy).
rndc validation newstate [view]
dnssec-signzone can now update the SOA record of the signed
zone, either as an increment or as the system time().
Statistics about acache now recorded and sent to log.
libbind: corresponds to that from BIND 8.4.7.
|
|
BIND 9.4 Administrator Reference Manual
The BIND 9 Administrator Reference Manual is included with the source distribution in DocBook XML and HTML format, in the doc/arm directory. Some of the programs in the BIND 9 distribution have man pages under the doc/man directory. In particular, the command line options of "named" are documented in doc/man/bind/named.8. There is now also a set of man pages for the lwres library. If you are upgrading from BIND 8, please read the migration notes in doc/misc/migration. If you are upgrading from BIND 4, read doc/misc/migration-4to9. Frequently asked questions and their answers can be found in the FAQ. |
|
BIND 9 currently requires a UNIX system with an ANSI C compiler, basic
POSIX support, and a 64 bit integer type.
We've had successful builds and tests on the following systems:
To build, just
./configureDo not use a parallel "make". Several environment variables that can be set before running configure will affect compilation:
CC
CFLAGS
STD_CINCLUDES
STD_CDEFINES To build shared libraries, specify "--with-libtool" on the configure command line. For the server to support DNSSEC, you need to build it with crypto support. You must have OpenSSL 0.9.5a or newer installed and specify "--with-openssl" on the configure command line. If OpenSSL is installed under a nonstandard prefix, you can tell configure where to look for it using "--with-openssl=/prefix". To build libbind (BIND 8 resolver library), specify "--enable-libbind" on the configure command line. On some platforms, BIND 9 can be built with multithreading support, allowing it to take advantage of multiple CPUs. You can specify whether to build a multithreaded BIND 9 by specifying "--enable-threads" or "--disable-threads" on the configure command line. The default is operating system dependent. If your operating system has integrated support for IPv6, it will be used automatically. If you have installed KAME IPv6 separately, use "--with-kame[=PATH]" to specify its location. "make install" will install "named" and the various BIND 9 libraries. By default, installation is into /usr/local, but this can be changed with the "--prefix" option when running "configure". You may specify the option "--sysconfdir" to set the directory where configuration files like "named.conf" go by default, and "--localstatedir" to set the default parent directory of "run/named.pid". For backwards compatibility with BIND 8, --sysconfdir defaults to "/etc" and --localstatedir defaults to "/var" if no --prefix option is given. If there is a --prefix option, sysconfdir defaults to "$prefix/etc" and localstatedir defaults to "$prefix/var". To see additional configure options, run "configure --help". Note that the help message does not reflect the BIND 8 compatibility defaults for sysconfdir and localstatedir. If you're planning on making changes to the BIND 9 source, you should also "make depend". If you're using Emacs, you might find "make tags" helpful. Building with gcc is not supported, unless gcc is the vendor's usual compiler (e.g. the various BSD systems, Linux). Known compiler issues:
A limited test suite can be run with "make test". Many of the tests require you to configure a set of virtual IP addresses on your system, and some require Perl; see bin/tests/system/README for details. |
BIND 9.4.2-P2-W1 is now available.
This is a WINDOWS-SPECIFIC update to the second security patch for BIND
9.4.2. It addresses long-standing scalability issues in the socket code
for Windows that were exposed by the changes in BIND 9.4.2-P1 and -P2.
This release contains no code changes that are not specific to the Windows
operating system. It will compile and run correctly on all supported
platforms, but there is no need to upgrade from P2 to P2-W1 unless you
are running BIND on Windows.
NOTE: Effective immediately, the Windows 2000 and Windows NT operating
systems are no longer supported. This release has been tested and is
supported on Windows 2003, Windows XP, and Windows 2008.
BIND 9.4.2-P2-W1 can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/bind-9.4.2-P2-W1.tar.gz
The PGP signature of the distribution is at
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/bind-9.4.2-P2-W1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/bind-9.4.2-P2-W1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/bind-9.4.2-P2-W1.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.zip
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.debug.zip
The PGP signature of the binary kit for Windows XP, Windows 2003, and
Windows 2008 is at
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.2-P2-W1/BIND9.4.2-P2-W1.debug.zip.sha512.asc
Changes since 9.4.2-P2:
--- 9.4.2-P2-W1 released ---
2432. [bug] More Windows socket handling improvements. Stop
using I/O events and use IO Completion Ports
throughout. Rewrite the receive path logic to make
it easier to support multiple simultaneous
requestrs in the future. Add stricter consistency
checking as a compile-time option (define
ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
2420. [bug] Windows socket handling cleanup. Let the io
completion event send out cancelled read/write
done events, which keeps us from writing to memeory
we no longer have ownership of. Add debugging
socket_log() function. Rework TCP socket handling
to not leak sockets.
|
|
Bug reports should be sent to:
bind9-bugs@isc.org
Please check the list of upcoming fixes below before submitting a bug report To join the BIND Users mailing list, send mail to: bind-users-request@isc.org. If you're planning on making changes to the BIND 9 source code, you might want to join the BIND Workers mailing list. Send mail to: bind-workers-request@isc.org |
| 2433. | [tuning] | Set initial timeout to 800ms. |
| 2430. | [bug] | win32: isc_interval_set() could round down to zero if the input was less than NS_INTERVAL nanoseconds. Round up instead. [RT #18549] |
| 2429. | [doc] | nsupdate should be in section 1 of the man pages. |
| 2426. | [bug] | libbind: inet_net_pton() can sometimes return the wrong value if excessively large netmasks are supplied. [RT #18512] |
| 2425. | [bug] | named didn't detect unavailable query source addresses at load time. [RT #18536] |
| 2424. | [port] | configure now probes for a working epoll implementation. Allow the use of kqueue, epoll and /dev/poll to be selected at compile time. [RT #18277] |
| 2422. | [bug] | Handle the special return value of a empty node as if it was a NXRRSET in the validator. [RT #18447] |
| 2421. | [func] | Add new command line option '-S' for named to specify the max number of sockets. [RT #18493] Use caution: this option may not work for some operating systems without rebuilding named. |
| 2417. | [bug] | Connecting UDP sockets for outgoing queries could unexpectedly fail with an 'address already in use' error. [RT #18411] |
| 2416. | [func] | Log file descriptors that cause exceeding the internal maximum. [RT #18460] |
| 2414. | [bug] | A masterdump context held the database lock too long, causing various troubles such as dead lock and recursive lock acquisition. [RT #18311, #18456] |
| 2413. | [bug] | Fixed an unreachable code path in socket.c. [RT #18442] |
| 2412. | [bug] | win32: address a resourse leak. [RT #18374] |
| 2411. | [bug] | Allow using a larger number of sockets than FD_SETSIZE for select(). To enable this, set ISC_SOCKET_MAXSOCKETS at compilation time. [RT #18433] |
| 2410. | [bug] | Correctly delete m_versionInfo. [RT #18432] |
| 2408. | [bug] | A duplicate TCP dispatch event could be sent, which could then trigger an assertion failure in resquery_response(). [RT #18275] |
| 2407. | [port] | hpux: test for sys/dyntune.h. [RT #18421] |
| 2406. | [bug] | Sockets could be closed too early, leading to inconsistent states in the socket module. [RT #18298] |
| 2404. | [port] | hpux: files unlimited support. |
| 2403. | [bug] | TSIG context leak. [RT #18341] |
| 2402. | [port] | Support Solaris 2.11 and over. [RT #18362] |
| 2401. | [bug] | Expect to get E[MN]FILE errno internal_accept() (from accept() or fcntl() system calls). [RT #18358] |
| 2399. | [bug] | Abort timeout queries to reduce the number of open UDP sockets. [RT #18367] |
| 2398. | [bug] | Improve file descriptor management. New, temporary, named.conf option reserved-sockets, default 512. [RT #18344] |
| 2396. | [bug] | Don't set SO_REUSEADDR for randomized ports. |
| 2395. | [port] | Avoid warning and no effect from "files unlimited" on Linux when running as root. [RT #18335] |
| 2394. | [bug] | Default configuration options set the limit for open files to 'unlimited' as described in the documentation. [RT #18331] |
| 2392. | [bug] | remove 'grep -q' from acl test script, some platforms don't support it. [RT #18253] |
| 2391 | [port] | hpux: cover additional recvmsg() error codes. |
| 2390 | [bug] | dispatch.c could make a false warning on 'odd socket'. |
| 2389 | [bug] | Move the "working directory writable" check to after the ns_os_changeuser() call. [RT #18326] |
| 2386. | [func] | Add warning about too small 'open files' limit. |
| --- 9.4.3b2 released --- |
||
| 2385. | [bug] | A condition variable in socket.c could leak in rare error handling [RT #17968]. |
| 2384. | [security] | Additional support for query port randomization (change #2375) including performance improvement and port range specification. [RT #17949, #18098] |
| 2383. | [bug] | named could double queries when they resulted in SERVFAIL due to overkilling EDNS0 failure detection. |
| 2382. | [doc] | Add descriptions of IPSECKEY, SPF and SSHFP to ARM. |
| 2381. | [port] | dlz/mysql: support multiple install layouts for mysql. <prefix>/include/{,mysql/}mysql.h and <prefix>/lib/{,mysql/}. [RT #18152] |
| 2380. | [bug] | dns_view_find() was not returning NXDOMAIN/NXRRSET proofs which, in turn, caused validation failures for insecure zones immediately below a secure zone the server was authoritative for. [RT #18112] |
| 2379. | [contrib] | queryperf/gen-data-queryperf.py: removed redundant TLDs and supported RRs with TTLs [RT #17972] |
| 2377. | [bug] | Address race condition in dnssec-signzone. [RT #18142] |
| 2376. | [bug] | Change #2144 was not complete. |
| 2375. | [security] | Fully randomize UDP query ports to improve forgery resilience. [RT #17949] |
| 2372. | [bug] | fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] |
| 2369. | [bug] | libbind: Array bounds overrun on read in bitncmp(). |
| 2364. | [bug] | named could trigger a assertion when serving a malformed signed zone. [RT #17828] |
| 2363. | [port] | sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". |
| 2361. | [bug] | "recursion" statistics counter could be counted multiple times for a single query. [RT #17990] |
| --- 9.4.3b1 released --- |
||
| 2358. | [doc] | Update host's default query description. [RT #17934] |
| 2356. | [bug] | Built in mutex profiler was not scalable enough. |
| 2353. | [func] | libbind: nsid support. [RT #17091] |
| 2350. | [port] | win32: IPv6 support. [RT #17797] |
| 2347. | [bug] | Delete now traverses the RB tree in the canonical order. [RT #17451] |
| 2345. | [bug] | named-checkconf failed to detect when forwarders were set at both the options/view level and in a root zone. [RT #17671] |
| 2344. | [bug] | Improve "logging{ file ...; };" documentation. |
| 2343. | [bug] | (Seemingly) duplicate IPv6 entries could be created in ADB. [RT #17837] |
| 2341. | [bug] | libbind: add missing -I../include for off source tree builds. [RT #17606] |
| 2340. | [port] | openbsd: interface configuration. [RT #17700] |
| 2339. | [port] | tru64: support for libbind. [RT #17589] |
| 2338. | [bug] | check_ds() could be called with a non DS rdataset. |
| 2337. | [bug] | BUILD_LDFLAGS was not being correctly set. [RT #17614] |
| 2335. | [port] | sunos: libbind and *printf() support for long long. |
| 2334. | [bug] | Bad REQUIRES in fromstruct_in_naptr(), off by one bug in fromstruct_txt(). [RT #17609] |
| 2333. | [bug] | Fix off by one error in isc_time_nowplusinterval(). |
| 2332. | [contrib] | query-loc-0.4.0. [RT #17602] |
| 2331. | [bug] | Failure to regenerate any signatures was not being reported nor being past back to the UPDATE client. |
| 2330. | [bug] | Remove potential race condition when handling over memory events. [RT #17572] WARNING: API CHANGE: over memory callback function now needs to call isc_mem_waterack(). See <isc/mem.h> for details. |
| 2329. | [bug] | Clearer help text for dig's '-x' and '-i' options. |
| 2328. | [maint] | Add AAAA addresses for A.ROOT-SERVERS.NET, J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and |
| 2326. | [bug] | It was possible to trigger a INSIST in the acache processing. |
| 2325. | [port] | Linux: use capset() function if available. [RT #17557] |
| 2323. | [port] | tru64: namespace clash. [RT #17547] |
| 2322. | [port] | MacOS: work around the limitation of setrlimit() for RLIMIT_NOFILE. [RT #17526] |
| 2319. | [bug] | Silence Coverity warnings in lib/dns/rdata/in_1/apl_42.c. [RT #17469] |
| 2318. | [port] | sunos fixes for libbind. [RT #17514] |
| 2314. | [bug] | Uninitialized memory use on error path in bin/named/lwdnoop.c. [RT #17476] |
| 2313. | [cleanup] | Silence Coverity warnings. Handle private stacks. |
| 2312. | [cleanup] | Silence Coverity warning in lib/isc/unix/socket.c. |
| 2311. | [func] | Update ACL regression test. [RT #17462] |
| 2310. | [bug] | dig, host, nslookup: flush stdout before emitting debug/fatal messages. [RT #17501] |
| 2308. | [cleanup] | Silence Coverity warning in bin/named/controlconf.c. |
| 2307. | [bug] | Remove infinite loop from lib/dns/sdb.c. [RT #17496] |
| 2306. | [bug] | Remove potential race from lib/dns/resolver.c. |
| 2305. | [security] | inet_network() buffer overflow. CVE-2008-0122. |
| 2304. | [bug] | Check returns from all dns_rdata_tostruct() calls. |
| 2303. | [bug] | Remove unnecessary code from bin/named/lwdgnba.c. |
| 2302. | [bug] | Fix memset() calls in lib/tests/t_api.c. [RT #17472] |
| 2301. | [bug] | Remove resource leak and fix error messages in bin/tests/system/lwresd/lwtest.c. [RT #17474] |
| 2300. | [bug] | Fixed failure to close open file in bin/tests/names/t_names.c. [RT #17473] |
| 2299. | [bug] | Remove unnecessary NULL check in bin/nsupdate/nsupdate.c. [RT #17475] |
| 2298. | [bug] | isc_mutex_lock() failure not caught in bin/tests/timers/t_timers.c. [RT #17468] |
| 2297. | [bug] | isc_entropy_createfilesource() failure not caught in bin/tests/dst/t_dst.c. [RT #17467] |
| 2296. | [port] | Allow docbook stylesheet location to be specified to configure. [RT #17457] |
| 2295. | [bug] | Silence static overrun error in bin/named/lwaddr.c. |
| 2293. | [func] | Add ACL regression test. [RT #17375] |
| 2292. | [bug] | Log if the working directory is not writable. |
| 2291. | [bug] | PR_SET_DUMPABLE may be set too late. Also report failure to set PR_SET_DUMPABLE. [RT #17312] |
| 2290. | [bug] | Let AD in the query signal that the client wants AD set in the response. [RT #17301] |
| 2288. | [port] | win32: mark service as running when we have finished loading. [RT #17441] |
| 2287. | [bug] | Use 'volatile' if the compiler supports it. [RT #17413] |
| 2284. | [bug] | Memory leak in UPDATE prerequisite processing. |
| 2283. | [bug] | TSIG keys were not attaching to the memory context. TSIG keys should use the rings memory context rather than the clients memory context. [RT #17377] |
| 2279. | [bug] | Use setsockopt(SO_NOSIGPIPE), when available, to protect applications from receiving spurious SIGPIPE signals when using the resolver. |
| 2278. | [bug] | win32: handle the case where Windows returns no search list or DNS suffix. [RT #17354] |
| 2277. | [bug] | Empty zone names were not correctly being caught at in the post parse checks. [RT #17357] |
| 2273. | [bug] | Adjust log level to WARNING when saving inconsistent stub/slave master and journal files. [RT# 17279] |
| 2272. | [bug] | Handle illegal dnssec-lookaside trust-anchor names. |
| 2270. | [bug] | dns_db_closeversion() version->writer could be reset before it is tested. [RT #17290] |
| 2269. | [contrib] | dbus memory leaks and missing va_end calls. [RT #17232] |
| 2268. | [bug] | 0.IN-ADDR.ARPA was missing from the empty zones list. |
| 2266. | [bug] | client.c:get_clientmctx() returned the same mctx once the pool of mctx's was filled. [RT #17218] |
| 2265. | [bug] | Test that the memory context's basic_table is non NULL before freeing. [RT #17265] |
| 2264. | [bug] | Server prefix length was being ignored. [RT #17308] |
| 2263. | [bug] | "named-checkconf -z" failed to set default value for "check-integrity". [RT #17306] |
| 2262. | [bug] | Error status from all but the last view could be lost. [RT #17292] |
| 2260. | [bug] | Reported wrong clients-per-query when increasing the value. [RT #17236] |
| 2247. | [doc] | Sort doc/misc/options. [RT #17067] |
| 2246. | [bug] | Make the startup of test servers (ans.pl) more robust. [RT #17147] |