1BIND 9 2 3 BIND version 9 is a major rewrite of nearly all aspects of the 4 underlying BIND architecture. Some of the important features of 5 BIND 9 are: 6 7 - DNS Security 8 DNSSEC (signed zones) 9 TSIG (signed DNS requests) 10 11 - IP version 6 12 Answers DNS queries on IPv6 sockets 13 IPv6 resource records (AAAA) 14 Experimental IPv6 Resolver Library 15 16 - DNS Protocol Enhancements 17 IXFR, DDNS, Notify, EDNS0 18 Improved standards conformance 19 20 - Views 21 One server process can provide multiple "views" of 22 the DNS namespace, e.g. an "inside" view to certain 23 clients, and an "outside" view to others. 24 25 - Multiprocessor Support 26 27 - Improved Portability Architecture 28 29 30 BIND version 9 development has been underwritten by the following 31 organizations: 32 33 Sun Microsystems, Inc. 34 Hewlett Packard 35 Compaq Computer Corporation 36 IBM 37 Process Software Corporation 38 Silicon Graphics, Inc. 39 Network Associates, Inc. 40 U.S. Defense Information Systems Agency 41 USENIX Association 42 Stichting NLnet - NLnet Foundation 43 Nominum, Inc. 44 45 For a summary of functional enhancements in previous 46 releases, see the HISTORY file. 47 48 For a detailed list of user-visible changes from 49 previous releases, see the CHANGES file. 50 51 For up-to-date release notes and errata, see 52 http://www.isc.org/software/bind9/releasenotes 53 54BIND 9.9.9-P4 55 56 This version contains a fix for CVE-2016-8864. 57 58BIND 9.9.9-P3 59 60 This version contains a fix for CVE-2016-2776. 61 62BIND 9.9.9-P2 63 64 This version contains a fix for CVE-2016-2775 and addresses 65 two regressions introduced with BIND 9.9.9. 66 67BIND 9.9.9-P1 68 69 This version contains two urgent fixes to BIND 9.9.9: 70 1) Windows installation was failing without manual updating 71 of BINDinstall's attributes. 72 2) A race condition was causing instability in the rbt 73 tree state. 74 75BIND 9.9.9 76 77 BIND 9.9.9 is a maintenance release and addresses bugs found 78 in BIND 9.9.8 and earlier, as well as the security flaws 79 described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704, 80 CVE-2016-1285, and CVE-2016-1286. 81 82BIND 9.9.8 83 84 BIND 9.9.8 is a maintenance release and addresses bugs 85 found in BIND 9.9.7 and earlier, as well as the security 86 flaws described in CVE-2015-4620, CVE-2015-5477, 87 CVE-2015-5722, and CVE-2015-5986. 88 89 It also makes the following new features available via a 90 compile-time option: 91 92 - New "fetchlimit" quotas are now available for the use of 93 recursive resolvers that are are under high query load for 94 domains whose authoritative servers are nonresponsive or are 95 experiencing a denial of service attack. 96 97 + "fetches-per-server" limits the number of simultaneous queries 98 that can be sent to any single authoritative server. The 99 configured value is a starting point; it is automatically 100 adjusted downward if the server is partially or completely 101 non-responsive. The algorithm used to adjust the quota can be 102 configured via the "fetch-quota-params" option. 103 + "fetches-per-zone" limits the number of simultaneous queries 104 that can be sent for names within a single domain. (Note: 105 Unlike "fetches-per-server", this value is not self-tuning.) 106 + New stats counters have been added to count 107 queries spilled due to these quotas. 108 109 NOTE: These options are NOT built in by default; use 110 "configure --enable-fetchlimit" to enable them. 111 112BIND 9.9.7 113 114 BIND 9.9.7 is a maintenance release and addresses bugs 115 found in BIND 9.9.6 and earlier, as well as the security 116 flaws described in CVE-2014-8500 and CVE-2015-1349. 117 118BIND 9.9.6 119 120 BIND 9.9.6 is a maintenance release, and also includes 121 the following new functionality. 122 123 - The former behavior with respect to capitalization of names 124 (prior to BIND 9.9.5) can be restored for specific clients via 125 the new "no-case-compress" ACL. 126 127BIND 9.9.5 128 129 BIND 9.9.5 is a maintenance release, and patches the security 130 flaws described in CVE-2013-6320 and CVE-2014-0591. It also 131 includes the following functional enhancements: 132 133 - "named" now preserves the capitalization of names when 134 responding to queries. 135 - new "dnssec-importkey" command allows the use of offline 136 DNSSEC keys with automatic DNSKEY management. 137 - When re-signing a zone, the new "dnssec-signzone -Q" option 138 drops signatures from keys that are still published but are 139 no longer active. 140 - "named-checkconf -px" will print the contents of configuration 141 files with the shared secrets obscured, making it easier to 142 share configuration (e.g. when submitting a bug report) 143 without revealing private information. 144 145BIND 9.9.4 146 147 BIND 9.9.4 is a maintenance release, and patches the security 148 flaws described in CVE-2013-3919 and CVE-2013-4854. It also 149 introduces DNS Response Rate Limiting (DNS RRL) as a 150 compile-time option. To use this feature, configure with 151 the "--enable-rrl" option. 152 153BIND 9.9.3 154 155 BIND 9.9.3 is a maintenance release and patches the security 156 flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266. 157 158BIND 9.9.2 159 160 BIND 9.9.2 is a maintenance release and patches the security 161 flaw described in CVE-2012-4244. 162 163BIND 9.9.1 164 165 BIND 9.9.1 is a maintenance release. 166 167BIND 9.9.0 168 169 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier 170 releases. New features include: 171 172 - Inline signing, allowing automatic DNSSEC signing of 173 master zones without modification of the zonefile, or 174 "bump in the wire" signing in slaves. 175 - NXDOMAIN redirection. 176 - New 'rndc flushtree' command clears all data under a given 177 name from the DNS cache. 178 - New 'rndc sync' command dumps pending changes in a dynamic 179 zone to disk without a freeze/thaw cycle. 180 - New 'rndc signing' command displays or clears signing status 181 records in 'auto-dnssec' zones. 182 - NSEC3 parameters for 'auto-dnssec' zones can now be set prior 183 to signing, eliminating the need to initially sign with NSEC. 184 - Startup time improvements on large authoritative servers. 185 - Slave zones are now saved in raw format by default. 186 - Several improvements to response policy zones (RPZ). 187 - Improved hardware scalability by using multiple threads 188 to listen for queries and using finer-grained client locking 189 - The 'also-notify' option now takes the same syntax as 190 'masters', so it can used named masterlists and TSIG keys. 191 - 'dnssec-signzone -D' writes an output file containing only DNSSEC 192 data, which can be included by the primary zone file. 193 - 'dnssec-signzone -R' forces removal of signatures that are 194 not expired but were created by a key which no longer exists. 195 - 'dnssec-signzone -X' allows a separate expiration date to 196 be specified for DNSKEY signatures from other signatures. 197 - New '-L' option to dnssec-keygen, dnssec-settime, and 198 dnssec-keyfromlabel sets the default TTL for the key. 199 - dnssec-dsfromkey now supports reading from standard input, 200 to make it easier to convert DNSKEY to DS. 201 - RFC 1918 reverse zones have been added to the empty-zones 202 table per RFC 6303. 203 - Dynamic updates can now optionally set the zone's SOA serial 204 number to the current UNIX time. 205 - DLZ modules can now retrieve the source IP address of 206 the querying client. 207 - 'request-ixfr' option can now be set at the per-zone level. 208 - 'dig +rrcomments' turns on comments about DNSKEY records, 209 indicating their key ID, algorithm and function 210 - Simplified nsupdate syntax and added readline support 211 212Building 213 214 BIND 9 currently requires a UNIX system with an ANSI C compiler, 215 basic POSIX support, and a 64 bit integer type. 216 217 We've had successful builds and tests on the following systems: 218 219 COMPAQ Tru64 UNIX 5.1B 220 Fedora Core 6 221 FreeBSD 4.10, 5.2.1, 6.2 222 HP-UX 11.11 223 Mac OS X 10.5 224 NetBSD 3.x, 4.0-beta, 5.0-beta 225 OpenBSD 3.3 and up 226 Solaris 8, 9, 9 (x86), 10 227 Ubuntu 7.04, 7.10 228 Windows XP/2003/2008 229 230 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of 231 Windows, including Windows NT and Windows 2000, are no longer 232 supported. 233 234 We have recent reports from the user community that a supported 235 version of BIND will build and run on the following systems: 236 237 AIX 4.3, 5L 238 CentOS 4, 4.5, 5 239 Darwin 9.0.0d1/ARM 240 Debian 4, 5, 6 241 Fedora Core 5, 7, 8 242 FreeBSD 6, 7, 8 243 HP-UX 11.23 PA 244 MacOS X 10.5, 10.6, 10.7 245 Red Hat Enterprise Linux 4, 5, 6 246 SCO OpenServer 5.0.6 247 Slackware 9, 10 248 SuSE 9, 10 249 250 To build, just 251 252 ./configure 253 make 254 255 Do not use a parallel "make". 256 257 Several environment variables that can be set before running 258 configure will affect compilation: 259 260 CC 261 The C compiler to use. configure tries to figure 262 out the right one for supported systems. 263 264 CFLAGS 265 C compiler flags. Defaults to include -g and/or -O2 266 as supported by the compiler. Please include '-g' 267 if you need to set CFLAGS. 268 269 STD_CINCLUDES 270 System header file directories. Can be used to specify 271 where add-on thread or IPv6 support is, for example. 272 Defaults to empty string. 273 274 STD_CDEFINES 275 Any additional preprocessor symbols you want defined. 276 Defaults to empty string. 277 278 Possible settings: 279 Change the default syslog facility of named/lwresd. 280 -DISC_FACILITY=LOG_LOCAL0 281 Enable DNSSEC signature chasing support in dig. 282 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and 283 -DDIG_SIGCHASE_BU=1) 284 Disable dropping queries from particular well known ports. 285 -DNS_CLIENT_DROPPORT=0 286 Sibling glue checking in named-checkzone is enabled by default. 287 To disable the default check set. -DCHECK_SIBLING=0 288 named-checkzone checks out-of-zone addresses by default. 289 To disable this default set. -DCHECK_LOCAL=0 290 To create the default pid files in ${localstatedir}/run rather 291 than ${localstatedir}/run/{named,lwresd}/ set. 292 -DNS_RUN_PID_DIR=0 293 Enable workaround for Solaris kernel bug about /dev/poll 294 -DISC_SOCKET_USE_POLLWATCH=1 295 The watch timeout is also configurable, e.g., 296 -DISC_SOCKET_POLLWATCH_TIMEOUT=20 297 298 LDFLAGS 299 Linker flags. Defaults to empty string. 300 301 The following need to be set when cross compiling. 302 303 BUILD_CC 304 The native C compiler. 305 BUILD_CFLAGS (optional) 306 BUILD_CPPFLAGS (optional) 307 Possible Settings: 308 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>) 309 BUILD_LDFLAGS (optional) 310 BUILD_LIBS (optional) 311 312 To build shared libraries, specify "--with-libtool" on the 313 configure command line. 314 315 For the server to support DNSSEC, you need to build it 316 with crypto support. You must have OpenSSL 0.9.5a 317 or newer installed and specify "--with-openssl" on the 318 configure command line. If OpenSSL is installed under 319 a nonstandard prefix, you can tell configure where to 320 look for it using "--with-openssl=/prefix". 321 322 On some platforms it is necessary to explicitly request large 323 file support to handle files bigger than 2GB. This can be 324 done by "--enable-largefile" on the configure command line. 325 326 On some platforms, BIND 9 can be built with multithreading 327 support, allowing it to take advantage of multiple CPUs. 328 You can specify whether to build a multithreaded BIND 9 329 by specifying "--enable-threads" or "--disable-threads" 330 on the configure command line. The default is operating 331 system dependent. 332 333 Support for the "fixed" rrset-order option can be enabled 334 or disabled by specifying "--enable-fixed-rrset" or 335 "--disable-fixed-rrset" on the configure command line. 336 The default is "disabled", to reduce memory footprint. 337 338 If your operating system has integrated support for IPv6, it 339 will be used automatically. If you have installed KAME IPv6 340 separately, use "--with-kame[=PATH]" to specify its location. 341 342 "make install" will install "named" and the various BIND 9 libraries. 343 By default, installation is into /usr/local, but this can be changed 344 with the "--prefix" option when running "configure". 345 346 You may specify the option "--sysconfdir" to set the directory 347 where configuration files like "named.conf" go by default, 348 and "--localstatedir" to set the default parent directory 349 of "run/named.pid". For backwards compatibility with BIND 8, 350 --sysconfdir defaults to "/etc" and --localstatedir defaults to 351 "/var" if no --prefix option is given. If there is a --prefix 352 option, sysconfdir defaults to "$prefix/etc" and localstatedir 353 defaults to "$prefix/var". 354 355 To see additional configure options, run "configure --help". 356 Note that the help message does not reflect the BIND 8 357 compatibility defaults for sysconfdir and localstatedir. 358 359 If you're planning on making changes to the BIND 9 source, you 360 should also "make depend". If you're using Emacs, you might find 361 "make tags" helpful. 362 363 If you need to re-run configure please run "make distclean" first. 364 This will ensure that all the option changes take. 365 366 Building with gcc is not supported, unless gcc is the vendor's usual 367 compiler (e.g. the various BSD systems, Linux). 368 369 Known compiler issues: 370 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. 371 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. 372 * gcc-3.3.5 powerpc generates incorrect code at -02. 373 * Irix, MipsPRO 7.4.1m is known to cause problems. 374 375 A limited test suite can be run with "make test". Many of 376 the tests require you to configure a set of virtual IP addresses 377 on your system, and some require Perl; see bin/tests/system/README 378 for details. 379 380 SunOS 4 requires "printf" to be installed to make the shared 381 libraries. sh-utils-1.16 provides a "printf" which compiles 382 on SunOS 4. 383 384Known limitations 385 386 Linux requires kernel build 2.6.39 or later to get the 387 performance benefits from using multiple sockets. 388 389Documentation 390 391 The BIND 9 Administrator Reference Manual is included with the 392 source distribution in DocBook XML and HTML format, in the 393 doc/arm directory. 394 395 Some of the programs in the BIND 9 distribution have man pages 396 in their directories. In particular, the command line 397 options of "named" are documented in /bin/named/named.8. 398 There is now also a set of man pages for the lwres library. 399 400 If you are upgrading from BIND 8, please read the migration 401 notes in doc/misc/migration. If you are upgrading from 402 BIND 4, read doc/misc/migration-4to9. 403 404 Frequently asked questions and their answers can be found in 405 FAQ. 406 407 Additional information on various subjects can be found 408 in the other README files. 409 410 411Change Log 412 413 A detailed list of all changes to BIND 9 is included in the 414 file CHANGES, with the most recent changes listed first. 415 Change notes include tags indicating the category of the 416 change that was made; these categories are: 417 418 [func] New feature 419 420 [bug] General bug fix 421 422 [security] Fix for a significant security flaw 423 424 [experimental] Used for new features when the syntax 425 or other aspects of the design are still 426 in flux and may change 427 428 [port] Portability enhancement 429 430 [maint] Updates to built-in data such as root 431 server addresses and keys 432 433 [tuning] Changes to built-in configuration defaults 434 and constants to improve performance 435 436 [performance] Other changes to improve server performance 437 438 [protocol] Updates to the DNS protocol such as new 439 RR types 440 441 [test] Changes to the automatic tests, not 442 affecting server functionality 443 444 [cleanup] Minor corrections and refactoring 445 446 [doc] Documentation 447 448 [contrib] Changes to the contributed tools and 449 libraries in the 'contrib' subdirectory 450 451 [placeholder] Used in the master development branch to 452 reserve change numbers for use in other 453 branches, e.g. when fixing a bug that only 454 exists in older releases 455 456 In general, [func] and [experimental] tags will only appear 457 in new-feature releases (i.e., those with version numbers 458 ending in zero). Some new functionality may be backported to 459 older releases on a case-by-case basis. All other change 460 types may be applied to all currently-supported releases. 461 462 463Bug Reports and Mailing Lists 464 465 Bug reports should be sent to: 466 467 bind9-bugs@isc.org 468 469 Feature requests can be sent to: 470 471 bind-suggest@isc.org 472 473 To join or view the archives of the BIND Users mailing list, 474 visit: 475 476 https://lists.isc.org/mailman/listinfo/bind-users 477 478 If you're planning on making changes to the BIND 9 source 479 code, you may also want to join the BIND Workers mailing 480 list: 481 482 https://lists.isc.org/mailman/listinfo/bind-workers 483 484 Information on read-only Git access, coding style and developer 485 guidelines can be found at: 486 487 http://www.isc.org/git/ 488 489 490