3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
45 For a summary of functional enhancements in previous
46 releases, see the HISTORY file.
48 For a detailed list of user-visible changes from
49 previous releases, see the CHANGES file.
51 For up-to-date release notes and errata, see
52 http://www.isc.org/software/bind9/releasenotes
56 BIND 9.10.2-P4 is a security release addressing the flaws
57 described in CVE-2015-5722 and CVE-2015-5986.
61 BIND 9.10.2-P3 is a security release addressing the flaw
62 described in CVE-2015-5477.
66 BIND 9.10.2-P2 is a security release addressing the flaw
67 described in CVE-2015-4620.
71 BIND 9.10.2-P1 is a patch release addressing several
72 bugs recently found in the response-policy zones (RPZ)
73 implementation in BIND 9.10. These mostly affect servers
74 that have multiple frequently-updated response-policy
79 BIND 9.10.2 is a maintenance release and addresses bugs
80 found in BIND 9.10.1 and earlier, as well as the security
81 flaws described in CVE-2014-8500, CVE-2014-8680 and
86 BIND 9.10.1 is a maintenance release and addresses bugs
87 found in BIND 9.10.0 and earlier.
89 This release addresses the security flaws described in
90 CVE-2014-3214 and CVE-2014-3859.
94 BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
95 releases. New features include:
97 - DNS Response-rate limiting (DNS RRL), which blunts the
98 impact of reflection and amplification attacks, is always
99 compiled in and no longer requires a compile-time option
101 - An experimental "Source Identity Token" (SIT) EDNS option
102 is now available. Similar to DNS Cookies as invented by
103 Donald Eastlake 3rd, these are designed to enable clients
104 to detect off-path spoofed responses, and to enable servers
105 to detect spoofed-source queries. Servers can be configured
106 to send smaller responses to clients that have not identified
107 themselves using a SIT option, reducing the effectiveness of
108 amplification attacks. RRL processing has also been updated;
109 clients proven to be legitimate via SIT are not subject to
110 rate limiting. Use "configure --enable-sit" to enable this
112 - A new zone file format, "map", stores zone data in a
113 format that can be mapped directly into memory, allowing
114 significantly faster zone loading.
115 - "delv" (domain entity lookup and validation) is a new tool
116 with dig-like semantics for looking up DNS data and performing
117 internal DNSSEC validation. This allows easy validation in
118 environments where the resolver may not be trustworthy, and
119 assists with troubleshooting of DNSSEC problems. (NOTE:
120 In previous development releases of BIND 9.10, this utility
121 was called "delve". The spelling has been changed to avoid
122 confusion with the "delve" utility included with the Xapian
124 - Improved EDNS(0) processing for better resolver performance
125 and reliability over slow or lossy connections.
126 - A new "configure --with-tuning=large" option tunes certain
127 compiled-in constants and default settings to values better
128 suited to large servers with abundant memory. This can
129 improve performance on such servers, but will consume more
130 memory and may degrade performance on smaller systems.
131 - Substantial improvement in response-policy zone (RPZ)
132 performance. Up to 32 response-policy zones can be
133 configured with minimal performance loss.
134 - To improve recursive resolver performance, cache records
135 which are still being requested by clients can now be
136 automatically refreshed from the authoritative server
137 before they expire, reducing or eliminating the time
138 window in which no answer is available in the cache.
139 - New "rpz-client-ip" triggers and drop policies allowing
140 response policies based on the IP address of the client.
141 - ACLs can now be specified based on geographic location
142 using the MaxMind GeoIP databases. Use "configure
143 --with-geoip" to enable.
144 - Zone data can now be shared between views, allowing
145 multiple views to serve the same zones authoritatively
146 without storing multiple copies in memory.
147 - New XML schema (version 3) for the statistics channel
148 includes many new statistics and uses a flattened XML tree
149 for faster parsing. The older schema is now deprecated.
150 - A new stylesheet, based on the Google Charts API, displays
151 XML statistics in charts and graphs on javascript-enabled
153 - The statistics channel can now provide data in JSON
154 format as well as XML.
155 - New stats counters track TCP and UDP queries received
156 per zone, and EDNS options received in total.
157 - The internal and export versions of the BIND libraries
158 (libisc, libdns, etc) have been unified so that external
159 library clients can use the same libraries as BIND itself.
160 - A new compile-time option, "configure --enable-native-pkcs11",
161 allows BIND 9 cryptography functions to use the PKCS#11 API
162 natively, so that BIND can drive a cryptographic hardware
163 service module (HSM) directly instead of using a modified
164 OpenSSL as an intermediary. (Note: This feature requires an
165 HSM to have a full implementation of the PKCS#11 API; many
166 current HSMs only have partial implementations. The new
167 "pkcs11-tokens" command can be used to check API completeness.
168 Native PKCS#11 is known to work with the Thales nShield HSM
169 and with SoftHSM version 2 from the Open DNSSEC project.)
170 - The new "max-zone-ttl" option enforces maximum TTLs for
171 zones. This can simplify the process of rolling DNSSEC keys
172 by guaranteeing that cached signatures will have expired
173 within the specified amount of time.
174 - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
176 - "dig +expire" sends an EDNS EXPIRE option when querying.
177 When this option is sent with an SOA query to a server
178 that supports it, it will report the expiry time of
180 - New "dnssec-coverage" tool to check DNSSEC key coverage
181 for a zone and report if a lapse in signing coverage has
182 been inadvertently scheduled.
183 - Signing algorithm flexibility and other improvements
184 for the "rndc" control channel.
185 - "named-checkzone" and "named-compilezone" can now read
186 journal files, allowing them to process dynamic zones.
187 - Multiple DLZ databases can now be configured. Individual
188 zones can be configured to be served from a specific DLZ
189 database. DLZ databases now serve zones of type "master"
191 - "rndc zonestatus" reports information about a specified zone.
192 - "named" now listens on IPv6 as well as IPv4 interfaces
194 - "named" now preserves the capitalization of names
195 when responding to queries: for instance, a query for
196 "example.com" may be answered with "example.COM" if the
197 name was configured that way in the zone file. Some
198 clients have a bug causing them to depend on the older
199 behavior, in which the case of the answer always matched
200 the case of the query, rather than the case of the name
201 configured in the DNS. Such clients can now be specified
202 in the new "no-case-compress" ACL; this will restore the
203 older behavior of "named" for those clients only.
204 - new "dnssec-importkey" command allows the use of offline
205 DNSSEC keys with automatic DNSKEY management.
206 - New "named-rrchecker" tool to verify the syntactic
207 correctness of individual resource records.
208 - When re-signing a zone, the new "dnssec-signzone -Q" option
209 drops signatures from keys that are still published but are
211 - "named-checkconf -px" will print the contents of configuration
212 files with the shared secrets obscured, making it easier to
213 share configuration (e.g. when submitting a bug report)
214 without revealing private information.
215 - "rndc scan" causes named to re-scan network interfaces for
216 changes in local addresses.
217 - On operating systems with support for routing sockets,
218 network interfaces are re-scanned automatically whenever
220 - "tsig-keygen" is now available as an alternate command
221 name to use for "ddns-confgen".
225 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
226 releases. New features include:
228 - Inline signing, allowing automatic DNSSEC signing of
229 master zones without modification of the zonefile, or
230 "bump in the wire" signing in slaves.
231 - NXDOMAIN redirection.
232 - New 'rndc flushtree' command clears all data under a given
233 name from the DNS cache.
234 - New 'rndc sync' command dumps pending changes in a dynamic
235 zone to disk without a freeze/thaw cycle.
236 - New 'rndc signing' command displays or clears signing status
237 records in 'auto-dnssec' zones.
238 - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
239 to signing, eliminating the need to initially sign with NSEC.
240 - Startup time improvements on large authoritative servers.
241 - Slave zones are now saved in raw format by default.
242 - Several improvements to response policy zones (RPZ).
243 - Improved hardware scalability by using multiple threads
244 to listen for queries and using finer-grained client locking
245 - The 'also-notify' option now takes the same syntax as
246 'masters', so it can used named masterlists and TSIG keys.
247 - 'dnssec-signzone -D' writes an output file containing only DNSSEC
248 data, which can be included by the primary zone file.
249 - 'dnssec-signzone -R' forces removal of signatures that are
250 not expired but were created by a key which no longer exists.
251 - 'dnssec-signzone -X' allows a separate expiration date to
252 be specified for DNSKEY signatures from other signatures.
253 - New '-L' option to dnssec-keygen, dnssec-settime, and
254 dnssec-keyfromlabel sets the default TTL for the key.
255 - dnssec-dsfromkey now supports reading from standard input,
256 to make it easier to convert DNSKEY to DS.
257 - RFC 1918 reverse zones have been added to the empty-zones
259 - Dynamic updates can now optionally set the zone's SOA serial
260 number to the current UNIX time.
261 - DLZ modules can now retrieve the source IP address of
263 - 'request-ixfr' option can now be set at the per-zone level.
264 - 'dig +rrcomments' turns on comments about DNSKEY records,
265 indicating their key ID, algorithm and function
266 - Simplified nsupdate syntax and added readline support
270 BIND 9 currently requires a UNIX system with an ANSI C compiler,
271 basic POSIX support, and a 64 bit integer type.
273 We've had successful builds and tests on the following systems:
275 COMPAQ Tru64 UNIX 5.1B
277 FreeBSD 4.10, 5.2.1, 6.2
280 NetBSD 3.x, 4.0-beta, 5.0-beta
282 Solaris 8, 9, 9 (x86), 10
286 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
287 Windows, including Windows NT and Windows 2000, are no longer
290 We have recent reports from the user community that a supported
291 version of BIND will build and run on the following systems:
300 MacOS X 10.5, 10.6, 10.7
301 Red Hat Enterprise Linux 4, 5, 6
311 Do not use a parallel "make".
313 Several environment variables that can be set before running
314 configure will affect compilation:
317 The C compiler to use. configure tries to figure
318 out the right one for supported systems.
321 C compiler flags. Defaults to include -g and/or -O2
322 as supported by the compiler. Please include '-g'
323 if you need to set CFLAGS.
326 System header file directories. Can be used to specify
327 where add-on thread or IPv6 support is, for example.
328 Defaults to empty string.
331 Any additional preprocessor symbols you want defined.
332 Defaults to empty string.
335 Change the default syslog facility of named/lwresd.
336 -DISC_FACILITY=LOG_LOCAL0
337 Enable DNSSEC signature chasing support in dig.
338 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
340 Disable dropping queries from particular well known ports.
341 -DNS_CLIENT_DROPPORT=0
342 Sibling glue checking in named-checkzone is enabled by default.
343 To disable the default check set. -DCHECK_SIBLING=0
344 named-checkzone checks out-of-zone addresses by default.
345 To disable this default set. -DCHECK_LOCAL=0
346 To create the default pid files in ${localstatedir}/run rather
347 than ${localstatedir}/run/{named,lwresd}/ set.
349 Enable workaround for Solaris kernel bug about /dev/poll
350 -DISC_SOCKET_USE_POLLWATCH=1
351 The watch timeout is also configurable, e.g.,
352 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
355 Linker flags. Defaults to empty string.
357 The following need to be set when cross compiling.
360 The native C compiler.
361 BUILD_CFLAGS (optional)
362 BUILD_CPPFLAGS (optional)
364 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
365 BUILD_LDFLAGS (optional)
366 BUILD_LIBS (optional)
368 On most platforms, BIND 9 is built with multithreading
369 support, allowing it to take advantage of multiple CPUs.
370 You can configure this by specifying "--enable-threads" or
371 "--disable-threads" on the configure command line. The default
372 is to enable threads, except on some older operating systems
373 on which threads are known to have had problems in the past.
374 (Note: Prior to BIND 9.10, the default was to disable threads on
375 Linux systems; this has been reversed. On Linux systems, the
376 threaded build is known to change BIND's behavior with respect
377 to file permissions; it may be necessary to specify a user with
378 the -u option when running named.)
380 To build shared libraries, specify "--with-libtool" on the
381 configure command line.
383 Certain compiled-in constants and default settings can be
384 increased to values better suited to large servers with abundant
385 memory resources (e.g, 64-bit servers with 12G or more of memory)
386 by specifying "--with-tuning=large" on the configure command
387 line. This can improve performance on big servers, but will
388 consume more memory and may degrade performance on smaller
391 For the server to support DNSSEC, you need to build it
392 with crypto support. You must have OpenSSL 0.9.5a
393 or newer installed and specify "--with-openssl" on the
394 configure command line. If OpenSSL is installed under
395 a nonstandard prefix, you can tell configure where to
396 look for it using "--with-openssl=/prefix".
398 To support the HTTP statistics channel, the server must
399 be linked with at least one of the following: libxml2
400 (http://xmlsoft.org) or json-c (https://github.com/json-c).
401 If these are installed at a nonstandard prefix, use
402 "--with-libxml2=/prefix" or "--with-libjson=/prefix".
404 On some platforms it is necessary to explicitly request large
405 file support to handle files bigger than 2GB. This can be
406 done by "--enable-largefile" on the configure command line.
408 Support for the "fixed" rrset-order option can be enabled
409 or disabled by specifying "--enable-fixed-rrset" or
410 "--disable-fixed-rrset" on the configure command line.
411 The default is "disabled", to reduce memory footprint.
413 If your operating system has integrated support for IPv6, it
414 will be used automatically. If you have installed KAME IPv6
415 separately, use "--with-kame[=PATH]" to specify its location.
417 "make install" will install "named" and the various BIND 9 libraries.
418 By default, installation is into /usr/local, but this can be changed
419 with the "--prefix" option when running "configure".
421 You may specify the option "--sysconfdir" to set the directory
422 where configuration files like "named.conf" go by default,
423 and "--localstatedir" to set the default parent directory
424 of "run/named.pid". For backwards compatibility with BIND 8,
425 --sysconfdir defaults to "/etc" and --localstatedir defaults to
426 "/var" if no --prefix option is given. If there is a --prefix
427 option, sysconfdir defaults to "$prefix/etc" and localstatedir
428 defaults to "$prefix/var".
430 To see additional configure options, run "configure --help".
431 Note that the help message does not reflect the BIND 8
432 compatibility defaults for sysconfdir and localstatedir.
434 If you're planning on making changes to the BIND 9 source, you
435 should also "make depend". If you're using Emacs, you might find
438 If you need to re-run configure please run "make distclean" first.
439 This will ensure that all the option changes take.
441 Building with gcc is not supported, unless gcc is the vendor's usual
442 compiler (e.g. the various BSD systems, Linux).
444 Known compiler issues:
445 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
446 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
447 * gcc-3.3.5 powerpc generates incorrect code at -02.
448 * Irix, MipsPRO 7.4.1m is known to cause problems.
450 A limited test suite can be run with "make test". Many of
451 the tests require you to configure a set of virtual IP addresses
452 on your system, and some require Perl; see bin/tests/system/README
455 SunOS 4 requires "printf" to be installed to make the shared
456 libraries. sh-utils-1.16 provides a "printf" which compiles
461 Linux requires kernel build 2.6.39 or later to get the
462 performance benefits from using multiple sockets.
466 The BIND 9 Administrator Reference Manual is included with the
467 source distribution in DocBook XML and HTML format, in the
470 Some of the programs in the BIND 9 distribution have man pages
471 in their directories. In particular, the command line
472 options of "named" are documented in /bin/named/named.8.
473 There is now also a set of man pages for the lwres library.
475 If you are upgrading from BIND 8, please read the migration
476 notes in doc/misc/migration. If you are upgrading from
477 BIND 4, read doc/misc/migration-4to9.
479 Frequently asked questions and their answers can be found in
482 Additional information on various subjects can be found
483 in the other README files.
488 A detailed list of all changes to BIND 9 is included in the
489 file CHANGES, with the most recent changes listed first.
490 Change notes include tags indicating the category of the
491 change that was made; these categories are:
495 [bug] General bug fix
497 [security] Fix for a significant security flaw
499 [experimental] Used for new features when the syntax
500 or other aspects of the design are still
501 in flux and may change
503 [port] Portability enhancement
505 [maint] Updates to built-in data such as root
506 server addresses and keys
508 [tuning] Changes to built-in configuration defaults
509 and constants to improve performance
511 [protocol] Updates to the DNS protocol such as new
514 [test] Changes to the automatic tests, not
515 affecting server functionality
517 [cleanup] Minor corrections and refactoring
521 [contrib] Changes to the contributed tools and
522 libraries in the 'contrib' subdirectory
524 [placeholder] Used in the master development branch to
525 reserve change numbers for use in other
526 branches, e.g. when fixing a bug that only
527 exists in older releases
529 In general, [func] and [experimental] tags will only appear
530 in new-feature releases (i.e., those with version numbers
531 ending in zero). Some new functionality may be backported to
532 older releases on a case-by-case basis. All other change
533 types may be applied to all currently-supported releases.
536 Bug Reports and Mailing Lists
538 Bug reports should be sent to:
542 Feature requests can be sent to:
546 To join or view the archives of the BIND Users mailing list,
549 https://lists.isc.org/mailman/listinfo/bind-users
551 If you're planning on making changes to the BIND 9 source
552 code, you may also want to join the BIND Workers mailing
555 https://lists.isc.org/mailman/listinfo/bind-workers
557 Information on read-only Git access, coding style and developer
558 guidelines can be found at:
560 http://www.isc.org/git/
565 - This product includes software developed by the OpenSSL Project
566 for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
567 - This product includes cryptographic software written by Eric
568 Young (eay@cryptsoft.com).
569 - This product includes software written by Tim Hudson