1 Summary of functional enhancements from prior major releases of BIND 9:
5 BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
6 releases. New features include:
8 - Built-in trust anchor for the root zone, which can be
9 switched on via "dnssec-validation auto;"
11 - Support for response policy zones (RPZ).
12 - Support for writable DLZ zones.
13 - Improved ease of configuration of GSS/TSIG for
14 interoperability with Active Directory
15 - Support for GOST signing algorithm for DNSSEC.
16 - Removed RTT Banding from server selection algorithm.
17 - New "static-stub" zone type.
18 - Allow configuration of resolver timeouts via
19 "resolver-query-timeout" option.
20 - The DLZ "dlopen" driver is now built by default.
21 - Added a new include file with function typedefs
22 for the DLZ "dlopen" driver.
23 - Made "--with-gssapi" default.
24 - More verbose error reporting from DLZ LDAP.
28 BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
29 releases. Most are intended to simplify DNSSEC configuration.
32 - Fully automatic signing of zones by "named".
33 - Simplified configuration of DNSSEC Lookaside Validation (DLV).
34 - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
35 command line tool or the "local" update-policy option. (As a side
36 effect, this also makes it easier to configure automatic zone
38 - New named option "attach-cache" that allows multiple views to
40 - DNS rebinding attack prevention.
41 - New default values for dnssec-keygen parameters.
42 - Support for RFC 5011 automated trust anchor maintenance
43 - Smart signing: simplified tools for zone signing and key
45 - The "statistics-channels" option is now available on Windows.
46 - A new DNSSEC-aware libdns API for use by non-BIND9 applications
47 - On some platforms, named and other binaries can now print out
48 a stack backtrace on assertion failure, to aid in debugging.
49 - A "tools only" installation mode on Windows, which only installs
50 dig, host, nslookup and nsupdate.
51 - Improved PKCS#11 support, including Keyper support and explicit
52 OpenSSL engine selection.
58 Automatic zone re-signing
60 New update-policy methods tcp-self and 6to4-self
62 The BIND 8 resolver library, libbind, has been removed from the
63 BIND 9 distribution and is now available as a separate download.
65 Change the default pid file location from /var/run to
66 /var/run/{named,lwresd} for improved chroot/setuid support.
70 GSS-TSIG support (RFC 3645).
74 Experimental http server and statistics support for named via xml.
76 More detailed statistics counters including those supported in BIND 8.
78 Faster ACL processing.
80 Use Doxygen to generate internal documentation.
82 Efficient LRU cache-cleaning mechanism.
88 Implemented "additional section caching (or acache)", an
89 internal cache framework for additional section content to
90 improve response performance. Several configuration options
91 were provided to control the behavior.
93 New notify type 'master-only'. Enable notify for master
96 Accept 'notify-source' style syntax for query-source.
98 rndc now allows addresses to be set in the server clauses.
100 New option "allow-query-cache". This lets "allow-query"
101 be used to specify the default zone access level rather
102 than having to have every zone override the global value.
103 "allow-query-cache" can be set at both the options and view
104 levels. If "allow-query-cache" is not set then "allow-recursion"
105 is used if set, otherwise "allow-query" is used if set
106 unless "recursion no;" is set in which case "none;" is used,
107 otherwise the default (localhost; localnets;) is used.
109 rndc: the source address can now be specified.
111 ixfr-from-differences now takes master and slave in addition
112 to yes and no at the options and view levels.
114 Allow the journal's name to be changed via named.conf.
116 'rndc notify zone [class [view]]' resend the NOTIFY messages
117 for the specified zone.
119 'dig +trace' now randomly selects the next servers to try.
120 Report if there is a bad delegation.
122 Improve check-names error messages.
124 Make public the function to read a key file, dst_key_read_public().
126 dig now returns the byte count for axfr/ixfr.
128 allow-update is now settable at the options / view level.
130 named-checkconf now checks the logging configuration.
132 host now can turn on memory debugging flags with '-m'.
134 Don't send notify messages to self.
136 Perform sanity checks on NS records which refer to 'in zone' names.
138 New zone option "notify-delay". Specify a minimum delay
139 between sets of NOTIFY messages.
141 Extend adjusting TTL warning messages.
143 Named and named-checkzone can now both check for non-terminal
146 "rndc freeze/thaw" now freezes/thaws all zones.
148 named-checkconf now check acls to verify that they only
149 refer to existing acls.
151 The server syntax has been extended to support a range of
154 Report differences between hints and real NS rrset and
155 associated address records.
157 Preserve the case of domain names in rdata during zone
160 Restructured the data locking framework using architecture
161 dependent atomic operations (when available), improving
162 response performance on multi-processor machines significantly.
163 x86, x86_64, alpha, powerpc, and mips are currently supported.
165 UNIX domain controls are now supported.
167 Add support for additional zone file formats for improving
168 loading performance. The masterfile-format option in
169 named.conf can be used to specify a non-default format. A
170 separate command named-compilezone was provided to generate
171 zone files in the new format. Additionally, the -I and -O
172 options for dnssec-signzone specify the input and output
175 dnssec-signzone can now randomize signature end times
176 (dnssec-signzone -j jitter).
178 Add support for CH A record.
180 Add additional zone data constancy checks. named-checkzone
181 has extended checking of NS, MX and SRV record and the hosts
182 they reference. named has extended post zone load checks.
183 New zone options: check-mx and integrity-check.
186 edns-udp-size can now be overridden on a per server basis.
188 dig can now specify the EDNS version when making a query.
190 Added framework for handling multiple EDNS versions.
192 Additional memory debugging support to track size and mctx
195 Detect duplicates of UDP queries we are recursing on and
196 drop them. New stats category "duplicates".
198 "USE INTERNAL MALLOC" is now runtime selectable.
200 The lame cache is now done on a <qname,qclass,qtype> basis
201 as some servers only appear to be lame for certain query
204 Limit the number of recursive clients that can be waiting
205 for a single query (<qname,qtype,qclass>) to resolve. New
206 options clients-per-query and max-clients-per-query.
208 dig: report the number of extra bytes still left in the
209 packet after processing all the records.
211 Support for IPSECKEY rdata type.
213 Raise the UDP recieve buffer size to 32k if it is less than 32k.
215 x86 and x86_64 now have seperate atomic locking implementations.
217 named-checkconf now validates update-policy entries.
219 Attempt to make the amount of work performed in a iteration
220 self tuning. The covers nodes clean from the cache per
221 iteration, nodes written to disk when rewriting a master
222 file and nodes destroyed per iteration when destroying a
227 Automatic empty zone creation for D.F.IP6.ARPA and friends.
228 Note: RFC 1918 zones are not yet covered by this but are
229 likely to be in a future release.
231 New options: empty-server, empty-contact, empty-zones-enable
232 and disable-empty-zone.
234 dig now has a '-q queryname' and '+showsearch' options.
236 host/nslookup now continue (default)/fail on SERVFAIL.
238 dig now warns if 'RA' is not set in the answer when 'RD'
239 was set in the query. host/nslookup skip servers that fail
240 to set 'RA' when 'RD' is set unless a server is explicitly
243 Integrate contibuted DLZ code into named.
245 Integrate contibuted IDN code from JPNIC.
247 libbind: corresponds to that from BIND 8.4.7.
251 DNSSEC is now DS based (RFC 3658).
252 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
254 DNSSEC lookaside validation.
256 check-names is now implemented.
257 rrset-order in more complete.
259 IPv4/IPv6 transition support, dual-stack-servers.
261 IXFR deltas can now be generated when loading master files,
262 ixfr-from-differences.
264 It is now possible to specify the size of a journal, max-journal-size.
266 It is now possible to define a named set of master servers to be
267 used in masters clause, masters.
269 The advertised EDNS UDP size can now be set, edns-udp-size.
271 allow-v6-synthesis has been obsoleted.
274 * Zones containing MD and MF will now be rejected.
275 * dig, nslookup name. now report "Not Implemented" as
276 NOTIMP rather than NOTIMPL. This will have impact on scripts
277 that are looking for NOTIMPL.
279 libbind: corresponds to that from BIND 8.4.5.
283 The size of the cache can now be limited using the
284 "max-cache-size" option.
286 The server can now automatically convert RFC1886-style recursive
287 lookup requests into RFC2874-style lookups, when enabled using the
288 new option "allow-v6-synthesis". This allows stub resolvers that
289 support AAAA records but not A6 record chains or binary labels to
290 perform lookups in domains that make use of these IPv6 DNS
293 Performance has been improved.
295 The man pages now use the more portable "man" macros rather than
296 the "mandoc" macros, and are installed by "make install".
298 The named.conf parser has been completely rewritten. It now
299 supports "include" directives in more places such as inside "view"
300 statements, and it no longer has any reserved words.
302 The "rndc status" command is now implemented.
304 rndc can now be configured automatically.
306 A BIND 8 compatible stub resolver library is now included in
309 OpenSSL has been removed from the distribution. This means that to
310 use DNSSEC, OpenSSL must be installed and the --with-openssl option
311 must be supplied to configure. This does not apply to the use of
312 TSIG, which does not require OpenSSL.
314 The source distribution now builds on Windows. See
315 win32utils/readme1.txt and win32utils/win32-build.txt for details.
317 This distribution also includes a new lightweight stub
318 resolver library and associated resolver daemon that fully
319 support forward and reverse lookups of both IPv4 and IPv6
320 addresses. This library is considered experimental and
321 is not a complete replacement for the BIND 8 resolver library.
322 Applications that use the BIND 8 res_* functions to perform
323 DNS lookups or dynamic updates still need to be linked against
324 the BIND 8 libraries. For DNS lookups, they can also use the
325 new "getrrsetbyname()" API.
327 BIND 9.2 is capable of acting as an authoritative server
328 for DNSSEC secured zones. This functionality is believed to
329 be stable and complete except for lacking support for
330 verifications involving wildcard records in secure zones.
332 When acting as a caching server, BIND 9.2 can be configured
333 to perform DNSSEC secure resolution on behalf of its clients.
334 This part of the DNSSEC implementation is still considered
335 experimental. For detailed information about the state of the
336 DNSSEC implementation, see the file doc/misc/dnssec.
338 There are a few known bugs:
340 On some systems, IPv6 and IPv4 sockets interact in
341 unexpected ways. For details, see doc/misc/ipv6.
342 To reduce the impact of these problems, the server
343 no longer listens for requests on IPv6 addresses
344 by default. If you need to accept DNS queries over
345 IPv6, you must specify "listen-on-v6 { any; };"
346 in the named.conf options statement.
348 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
349 and OpenBSD prior to 2.8 log messages like
350 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
351 This is due to a bug in "/dev/random" and impacts the
352 server's DNSSEC support.
354 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
355 OS X 10.2 (Darwin 6.0) reports errors like
356 "fcntl(3, F_SETFL, 4): Operation not supported by device".
357 This is due to a bug in "/dev/random" and impacts the
358 server's DNSSEC support.
360 --with-libtool does not work on AIX.
362 A bug in some versions of the Microsoft DNS server can cause zone
363 transfers from a BIND 9 server to a W2K server to fail. For details,
364 see the "Zone Transfers" section in doc/misc/migration.