• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..--

bin/26-Jul-2015-98,94777,895

doc/05-Nov-2016-46,73244,290

lib/26-Jul-2015-287,351184,040

libtool.m4/26-Jul-2015-8,5167,661

make/05-Nov-2016-627453

CHANGESD05-Nov-2016428.9 KiB13,1288,971

COPYRIGHTD12-Aug-201626.5 KiB539429

FAQD05-Nov-201632.8 KiB891643

FAQ.xmlD05-Nov-201644.8 KiB1,6111,485

HISTORYD26-Jul-201512.5 KiB366254

Makefile.inD05-Nov-20163.1 KiB10161

READMED05-Nov-201616 KiB490367

acconfig.hD05-Nov-20164.3 KiB15553

aclocal.m4D26-Jul-2015717 1815

config.guessD26-Jul-201544.7 KiB1,5691,356

config.h.inD05-Nov-201614.2 KiB519366

config.subD26-Jul-201534.8 KiB1,7941,656

config.threads.inD26-Jul-20153.2 KiB136129

configure.inD05-Nov-2016113.4 KiB4,3474,024

install-shD26-Jul-20155.4 KiB251152

isc-config.sh.inD05-Nov-20163.3 KiB172147

ltmain.shD26-Jul-2015278 KiB9,7077,345

mkinstalldirsD26-Jul-2015727 4123

versionD05-Nov-2016210 1211

README

1BIND 9
2
3	BIND version 9 is a major rewrite of nearly all aspects of the
4	underlying BIND architecture.  Some of the important features of
5	BIND 9 are:
6
7		- DNS Security
8			DNSSEC (signed zones)
9			TSIG (signed DNS requests)
10
11		- IP version 6
12			Answers DNS queries on IPv6 sockets
13			IPv6 resource records (AAAA)
14			Experimental IPv6 Resolver Library
15
16		- DNS Protocol Enhancements
17			IXFR, DDNS, Notify, EDNS0
18			Improved standards conformance
19
20		- Views
21			One server process can provide multiple "views" of
22			the DNS namespace, e.g. an "inside" view to certain
23			clients, and an "outside" view to others.
24
25		- Multiprocessor Support
26
27		- Improved Portability Architecture
28
29
30	BIND version 9 development has been underwritten by the following
31	organizations:
32
33		Sun Microsystems, Inc.
34		Hewlett Packard
35		Compaq Computer Corporation
36		IBM
37		Process Software Corporation
38		Silicon Graphics, Inc.
39		Network Associates, Inc.
40		U.S. Defense Information Systems Agency
41		USENIX Association
42		Stichting NLnet - NLnet Foundation
43		Nominum, Inc.
44
45	For a summary of functional enhancements in previous
46	releases, see the HISTORY file.
47
48	For a detailed list of user-visible changes from
49	previous releases, see the CHANGES file.
50
51	For up-to-date release notes and errata, see
52	http://www.isc.org/software/bind9/releasenotes
53
54BIND 9.9.9-P4
55
56	This version contains a fix for CVE-2016-8864.
57
58BIND 9.9.9-P3
59
60	This version contains a fix for CVE-2016-2776.
61
62BIND 9.9.9-P2
63
64	This version contains a fix for CVE-2016-2775 and addresses
65	two regressions introduced with BIND 9.9.9.
66
67BIND 9.9.9-P1
68
69	This version contains two urgent fixes to BIND 9.9.9:
70	1) Windows installation was failing without manual updating
71	   of BINDinstall's attributes.
72	2) A race condition was causing instability in the rbt
73	   tree state.
74
75BIND 9.9.9
76
77	BIND 9.9.9 is a maintenance release and addresses bugs found
78	in BIND 9.9.8 and earlier, as well as the security flaws
79	described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
80	CVE-2016-1285, and CVE-2016-1286.
81
82BIND 9.9.8
83
84	BIND 9.9.8 is a maintenance release and addresses bugs
85	found in BIND 9.9.7 and earlier, as well as the security
86	flaws described in CVE-2015-4620, CVE-2015-5477,
87	CVE-2015-5722, and CVE-2015-5986.
88
89	It also makes the following new features available via a
90	compile-time option:
91
92	- New "fetchlimit" quotas are now available for the use of
93	  recursive resolvers that are are under high query load for
94	  domains whose authoritative servers are nonresponsive or are
95	  experiencing a denial of service attack.
96
97	  + "fetches-per-server" limits the number of simultaneous queries
98	    that can be sent to any single authoritative server.  The
99	    configured value is a starting point; it is automatically
100	    adjusted downward if the server is partially or completely
101	    non-responsive. The algorithm used to adjust the quota can be
102	    configured via the "fetch-quota-params" option.
103	  + "fetches-per-zone" limits the number of simultaneous queries
104	    that can be sent for names within a single domain.  (Note:
105	    Unlike "fetches-per-server", this value is not self-tuning.)
106	  + New stats counters have been added to count
107	    queries spilled due to these quotas.
108
109	  NOTE: These options are NOT built in by default; use
110	  "configure --enable-fetchlimit" to enable them.
111
112BIND 9.9.7
113
114	BIND 9.9.7 is a maintenance release and addresses bugs
115	found in BIND 9.9.6 and earlier, as well as the security
116	flaws described in CVE-2014-8500 and CVE-2015-1349.
117
118BIND 9.9.6
119
120	BIND 9.9.6 is a maintenance release, and also includes
121	the following new functionality.
122
123	 - The former behavior with respect to capitalization of names
124	   (prior to BIND 9.9.5) can be restored for specific clients via
125	   the new "no-case-compress" ACL.
126
127BIND 9.9.5
128
129	BIND 9.9.5 is a maintenance release, and patches the security
130	flaws described in CVE-2013-6320 and CVE-2014-0591.  It also
131	includes the following functional enhancements:
132
133	 - "named" now preserves the capitalization of names when
134	   responding to queries.
135	 - new "dnssec-importkey" command allows the use of offline
136	   DNSSEC keys with automatic DNSKEY management.
137	 - When re-signing a zone, the new "dnssec-signzone -Q" option
138	   drops signatures from keys that are still published but are
139	   no longer active.
140	 - "named-checkconf -px" will print the contents of configuration
141	   files with the shared secrets obscured, making it easier to
142	   share configuration (e.g. when submitting a bug report)
143	   without revealing private information.
144
145BIND 9.9.4
146
147	BIND 9.9.4 is a maintenance release, and patches the security
148	flaws described in CVE-2013-3919 and CVE-2013-4854. It also
149	introduces DNS Response Rate Limiting (DNS RRL) as a
150	compile-time option. To use this feature, configure with
151	the "--enable-rrl" option.
152
153BIND 9.9.3
154
155	BIND 9.9.3 is a maintenance release and patches the security
156	flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
157
158BIND 9.9.2
159
160	BIND 9.9.2 is a maintenance release and patches the security
161	flaw described in CVE-2012-4244.
162
163BIND 9.9.1
164
165	BIND 9.9.1 is a maintenance release.
166
167BIND 9.9.0
168
169	BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
170	releases.  New features include:
171
172	- Inline signing, allowing automatic DNSSEC signing of
173	  master zones without modification of the zonefile, or
174	  "bump in the wire" signing in slaves.
175	- NXDOMAIN redirection.
176	- New 'rndc flushtree' command clears all data under a given
177	  name from the DNS cache.
178	- New 'rndc sync' command dumps pending changes in a dynamic
179	  zone to disk without a freeze/thaw cycle.
180	- New 'rndc signing' command displays or clears signing status
181	  records in 'auto-dnssec' zones.
182	- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
183	  to signing, eliminating the need to initially sign with NSEC.
184	- Startup time improvements on large authoritative servers.
185	- Slave zones are now saved in raw format by default.
186	- Several improvements to response policy zones (RPZ).
187	- Improved hardware scalability by using multiple threads
188	  to listen for queries and using finer-grained client locking
189	- The 'also-notify' option now takes the same syntax as
190	  'masters', so it can used named masterlists and TSIG keys.
191	- 'dnssec-signzone -D' writes an output file containing only DNSSEC
192	  data, which can be included by the primary zone file.
193	- 'dnssec-signzone -R' forces removal of signatures that are
194	  not expired but were created by a key which no longer exists.
195	- 'dnssec-signzone -X' allows a separate expiration date to
196	  be specified for DNSKEY signatures from other signatures.
197	- New '-L' option to dnssec-keygen, dnssec-settime, and
198	  dnssec-keyfromlabel sets the default TTL for the key.
199	- dnssec-dsfromkey now supports reading from standard input,
200	  to make it easier to convert DNSKEY to DS.
201	- RFC 1918 reverse zones have been added to the empty-zones
202	  table per RFC 6303.
203	- Dynamic updates can now optionally set the zone's SOA serial
204	  number to the current UNIX time.
205	- DLZ modules can now retrieve the source IP address of
206	  the querying client.
207	- 'request-ixfr' option can now be set at the per-zone level.
208	- 'dig +rrcomments' turns on comments about DNSKEY records,
209	  indicating their key ID, algorithm and function
210	- Simplified nsupdate syntax and added readline support
211
212Building
213
214	BIND 9 currently requires a UNIX system with an ANSI C compiler,
215	basic POSIX support, and a 64 bit integer type.
216
217	We've had successful builds and tests on the following systems:
218
219		COMPAQ Tru64 UNIX 5.1B
220		Fedora Core 6
221		FreeBSD 4.10, 5.2.1, 6.2
222		HP-UX 11.11
223		Mac OS X 10.5
224		NetBSD 3.x, 4.0-beta, 5.0-beta
225		OpenBSD 3.3 and up
226		Solaris 8, 9, 9 (x86), 10
227		Ubuntu 7.04, 7.10
228		Windows XP/2003/2008
229
230	NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
231	Windows, including Windows NT and Windows 2000, are no longer
232	supported.
233
234	We have recent reports from the user community that a supported
235	version of BIND will build and run on the following systems:
236
237		AIX 4.3, 5L
238		CentOS 4, 4.5, 5
239		Darwin 9.0.0d1/ARM
240		Debian 4, 5, 6
241		Fedora Core 5, 7, 8
242		FreeBSD 6, 7, 8
243		HP-UX 11.23 PA
244		MacOS X 10.5, 10.6, 10.7
245		Red Hat Enterprise Linux 4, 5, 6
246		SCO OpenServer 5.0.6
247		Slackware 9, 10
248		SuSE 9, 10
249
250	To build, just
251
252		./configure
253		make
254
255	Do not use a parallel "make".
256
257	Several environment variables that can be set before running
258	configure will affect compilation:
259
260	    CC
261		The C compiler to use.	configure tries to figure
262		out the right one for supported systems.
263
264	    CFLAGS
265		C compiler flags.  Defaults to include -g and/or -O2
266		as supported by the compiler.  Please include '-g'
267		if you need to set CFLAGS.
268
269	    STD_CINCLUDES
270		System header file directories.	 Can be used to specify
271		where add-on thread or IPv6 support is, for example.
272		Defaults to empty string.
273
274	    STD_CDEFINES
275		Any additional preprocessor symbols you want defined.
276		Defaults to empty string.
277
278		Possible settings:
279		Change the default syslog facility of named/lwresd.
280		  -DISC_FACILITY=LOG_LOCAL0
281		Enable DNSSEC signature chasing support in dig.
282		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
283				    -DDIG_SIGCHASE_BU=1)
284		Disable dropping queries from particular well known ports.
285		  -DNS_CLIENT_DROPPORT=0
286		Sibling glue checking in named-checkzone is enabled by default.
287		To disable the default check set.  -DCHECK_SIBLING=0
288		named-checkzone checks out-of-zone addresses by default.
289		To disable this default set.  -DCHECK_LOCAL=0
290		To create the default pid files in ${localstatedir}/run rather
291		than ${localstatedir}/run/{named,lwresd}/ set.
292		  -DNS_RUN_PID_DIR=0
293		Enable workaround for Solaris kernel bug about /dev/poll
294		  -DISC_SOCKET_USE_POLLWATCH=1
295		  The watch timeout is also configurable, e.g.,
296		  -DISC_SOCKET_POLLWATCH_TIMEOUT=20
297
298	    LDFLAGS
299		Linker flags. Defaults to empty string.
300
301	The following need to be set when cross compiling.
302
303	    BUILD_CC
304		The native C compiler.
305	    BUILD_CFLAGS (optional)
306	    BUILD_CPPFLAGS (optional)
307		Possible Settings:
308		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
309	    BUILD_LDFLAGS (optional)
310	    BUILD_LIBS (optional)
311
312	To build shared libraries, specify "--with-libtool" on the
313	configure command line.
314
315	For the server to support DNSSEC, you need to build it
316	with crypto support.  You must have OpenSSL 0.9.5a
317	or newer installed and specify "--with-openssl" on the
318	configure command line.  If OpenSSL is installed under
319	a nonstandard prefix, you can tell configure where to
320	look for it using "--with-openssl=/prefix".
321
322	On some platforms it is necessary to explicitly request large
323	file support to handle files bigger than 2GB.  This can be
324	done by "--enable-largefile" on the configure command line.
325
326	On some platforms, BIND 9 can be built with multithreading
327	support, allowing it to take advantage of multiple CPUs.
328	You can specify whether to build a multithreaded BIND 9
329	by specifying "--enable-threads" or "--disable-threads"
330	on the configure command line.  The default is operating
331	system dependent.
332
333	Support for the "fixed" rrset-order option can be enabled
334	or disabled by specifying "--enable-fixed-rrset" or
335	"--disable-fixed-rrset" on the configure command line.
336	The default is "disabled", to reduce memory footprint.
337
338	If your operating system has integrated support for IPv6, it
339	will be used automatically.  If you have installed KAME IPv6
340	separately, use "--with-kame[=PATH]" to specify its location.
341
342	"make install" will install "named" and the various BIND 9 libraries.
343	By default, installation is into /usr/local, but this can be changed
344	with the "--prefix" option when running "configure".
345
346	You may specify the option "--sysconfdir" to set the directory
347	where configuration files like "named.conf" go by default,
348	and "--localstatedir" to set the default parent directory
349	of "run/named.pid".   For backwards compatibility with BIND 8,
350	--sysconfdir defaults to "/etc" and --localstatedir defaults to
351	"/var" if no --prefix option is given.  If there is a --prefix
352	option, sysconfdir defaults to "$prefix/etc" and localstatedir
353	defaults to "$prefix/var".
354
355	To see additional configure options, run "configure --help".
356	Note that the help message does not reflect the BIND 8
357	compatibility defaults for sysconfdir and localstatedir.
358
359	If you're planning on making changes to the BIND 9 source, you
360	should also "make depend".  If you're using Emacs, you might find
361	"make tags" helpful.
362
363	If you need to re-run configure please run "make distclean" first.
364	This will ensure that all the option changes take.
365
366	Building with gcc is not supported, unless gcc is the vendor's usual
367	compiler (e.g. the various BSD systems, Linux).
368
369	Known compiler issues:
370	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
371	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
372	* gcc-3.3.5 powerpc generates incorrect code at -02.
373	* Irix, MipsPRO 7.4.1m is known to cause problems.
374
375	A limited test suite can be run with "make test".  Many of
376	the tests require you to configure a set of virtual IP addresses
377	on your system, and some require Perl; see bin/tests/system/README
378	for details.
379
380	SunOS 4 requires "printf" to be installed to make the shared
381	libraries.  sh-utils-1.16 provides a "printf" which compiles
382	on SunOS 4.
383
384Known limitations
385
386	Linux requires kernel build 2.6.39 or later to get the
387	performance benefits from using multiple sockets.
388
389Documentation
390
391	The BIND 9 Administrator Reference Manual is included with the
392	source distribution in DocBook XML and HTML format, in the
393	doc/arm directory.
394
395	Some of the programs in the BIND 9 distribution have man pages
396	in their directories.  In particular, the command line
397	options of "named" are documented in /bin/named/named.8.
398	There is now also a set of man pages for the lwres library.
399
400	If you are upgrading from BIND 8, please read the migration
401	notes in doc/misc/migration.  If you are upgrading from
402	BIND 4, read doc/misc/migration-4to9.
403
404	Frequently asked questions and their answers can be found in
405	FAQ.
406
407	Additional information on various subjects can be found
408	in the other README files.
409
410
411Change Log
412
413	A detailed list of all changes to BIND 9 is included in the
414	file CHANGES, with the most recent changes listed first.
415	Change notes include tags indicating the category of the
416	change that was made; these categories are:
417
418	   [func]	  New feature
419
420	   [bug]	  General bug fix
421
422	   [security]	  Fix for a significant security flaw
423
424	   [experimental] Used for new features when the syntax
425			  or other aspects of the design are still
426			  in flux and may change
427
428	   [port]	  Portability enhancement
429
430	   [maint]	  Updates to built-in data such as root
431			  server addresses and keys
432
433	   [tuning]	  Changes to built-in configuration defaults
434			  and constants to improve performance
435
436	   [performance]  Other changes to improve server performance
437
438	   [protocol]     Updates to the DNS protocol such as new
439			  RR types
440
441	   [test]         Changes to the automatic tests, not
442			  affecting server functionality
443
444	   [cleanup]      Minor corrections and refactoring
445
446	   [doc]	  Documentation
447
448	   [contrib]	  Changes to the contributed tools and
449			  libraries in the 'contrib' subdirectory
450
451	   [placeholder]  Used in the master development branch to
452			  reserve change numbers for use in other
453			  branches, e.g. when fixing a bug that only
454			  exists in older releases
455
456	In general, [func] and [experimental] tags will only appear
457	in new-feature releases (i.e., those with version numbers
458	ending in zero).  Some new functionality may be backported to
459	older releases on a case-by-case basis.  All other change
460	types may be applied to all currently-supported releases.
461
462
463Bug Reports and Mailing Lists
464
465	Bug reports should be sent to:
466
467		bind9-bugs@isc.org
468
469	Feature requests can be sent to:
470
471		bind-suggest@isc.org
472
473	To join or view the archives of the BIND Users mailing list,
474	visit:
475
476		https://lists.isc.org/mailman/listinfo/bind-users
477
478	If you're planning on making changes to the BIND 9 source
479	code, you may also want to join the BIND Workers mailing
480	list:
481
482		https://lists.isc.org/mailman/listinfo/bind-workers
483
484	Information on read-only Git access, coding style and developer
485	guidelines can be found at:
486
487		http://www.isc.org/git/
488
489
490