bind - Removed version tag from contrib directory and updated README.DRAGONFLY.
[dragonfly.git] / contrib / bind / README
CommitLineData
bbbf71a3
JL
1BIND 9
2
3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
5 BIND 9 are:
6
7 - DNS Security
8 DNSSEC (signed zones)
9 TSIG (signed DNS requests)
10
11 - IP version 6
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
15
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
19
20 - Views
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
24
25 - Multiprocessor Support
26
27 - Improved Portability Architecture
28
29
30 BIND version 9 development has been underwritten by the following
31 organizations:
32
33 Sun Microsystems, Inc.
34 Hewlett Packard
35 Compaq Computer Corporation
36 IBM
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
41 USENIX Association
42 Stichting NLnet - NLnet Foundation
43 Nominum, Inc.
44
45
46BIND 9.5.2
47
48 BIND 9.5.2 is a maintenance release, fixing bugs in 9.5.1.
49
50BIND 9.5.1
51
52 BIND 9.5.1 is a maintenance release, fixing bugs in 9.5.0.
53
54BIND 9.5.0
55
56 BIND 9.5.0 has a number of new features over 9.4,
57 including:
58
59 - GSS-TSIG support (RFC 3645).
60 - DHCID support.
61 - Experimental http server and statistics support for named via xml.
62 - More detailed statistics counters including those supported in
63 BIND 8.
64 - Faster ACL processing.
65 - Internal documentation generated by Doxygen.
66 - Efficient LRU cache-cleaning mechanism.
67 - NSID support (RFC 5001).
68
69BIND 9.4.0
70
71 BIND 9.4.0 has a number of new features over 9.3,
72 including:
73
74 Implemented "additional section caching (or acache)", an
75 internal cache framework for additional section content to
76 improve response performance. Several configuration options
77 were provided to control the behavior.
78
79 New notify type 'master-only'. Enable notify for master
80 zones only.
81
82 Accept 'notify-source' style syntax for query-source.
83
84 rndc now allows addresses to be set in the server clauses.
85
86 New option "allow-query-cache". This lets "allow-query"
87 be used to specify the default zone access level rather
88 than having to have every zone override the global value.
89 "allow-query-cache" can be set at both the options and view
90 levels. If "allow-query-cache" is not set then "allow-recursion"
91 is used if set, otherwise "allow-query" is used if set
92 unless "recursion no;" is set in which case "none;" is used,
93 otherwise the default (localhost; localnets;) is used.
94
95 rndc: the source address can now be specified.
96
97 ixfr-from-differences now takes master and slave in addition
98 to yes and no at the options and view levels.
99
100 Allow the journal's name to be changed via named.conf.
101
102 'rndc notify zone [class [view]]' resend the NOTIFY messages
103 for the specified zone.
104
105 'dig +trace' now randomly selects the next servers to try.
106 Report if there is a bad delegation.
107
108 Improve check-names error messages.
109
110 Make public the function to read a key file, dst_key_read_public().
111
112 dig now returns the byte count for axfr/ixfr.
113
114 allow-update is now settable at the options / view level.
115
116 named-checkconf now checks the logging configuration.
117
118 host now can turn on memory debugging flags with '-m'.
119
120 Don't send notify messages to self.
121
122 Perform sanity checks on NS records which refer to 'in zone' names.
123
124 New zone option "notify-delay". Specify a minimum delay
125 between sets of NOTIFY messages.
126
127 Extend adjusting TTL warning messages.
128
129 Named and named-checkzone can now both check for non-terminal
130 wildcard records.
131
132 "rndc freeze/thaw" now freezes/thaws all zones.
133
134 named-checkconf now check acls to verify that they only
135 refer to existing acls.
136
137 The server syntax has been extended to support a range of
138 servers.
139
140 Report differences between hints and real NS rrset and
141 associated address records.
142
143 Preserve the case of domain names in rdata during zone
144 transfers.
145
146 Restructured the data locking framework using architecture
147 dependent atomic operations (when available), improving
148 response performance on multi-processor machines significantly.
149 x86, x86_64, alpha, powerpc, and mips are currently supported.
150
151 UNIX domain controls are now supported.
152
153 Add support for additional zone file formats for improving
154 loading performance. The masterfile-format option in
155 named.conf can be used to specify a non-default format. A
156 separate command named-compilezone was provided to generate
157 zone files in the new format. Additionally, the -I and -O
158 options for dnssec-signzone specify the input and output
159 formats.
160
161 dnssec-signzone can now randomize signature end times
162 (dnssec-signzone -j jitter).
163
164 Add support for CH A record.
165
166 Add additional zone data constancy checks. named-checkzone
167 has extended checking of NS, MX and SRV record and the hosts
168 they reference. named has extended post zone load checks.
169 New zone options: check-mx and integrity-check.
170
171
172 edns-udp-size can now be overridden on a per server basis.
173
174 dig can now specify the EDNS version when making a query.
175
176 Added framework for handling multiple EDNS versions.
177
178 Additional memory debugging support to track size and mctx
179 arguments.
180
181 Detect duplicates of UDP queries we are recursing on and
182 drop them. New stats category "duplicates".
183
184 "USE INTERNAL MALLOC" is now runtime selectable.
185
186 The lame cache is now done on a <qname,qclass,qtype> basis
187 as some servers only appear to be lame for certain query
188 types.
189
190 Limit the number of recursive clients that can be waiting
191 for a single query (<qname,qtype,qclass>) to resolve. New
192 options clients-per-query and max-clients-per-query.
193
194 dig: report the number of extra bytes still left in the
195 packet after processing all the records.
196
197 Support for IPSECKEY rdata type.
198
199 Raise the UDP recieve buffer size to 32k if it is less than 32k.
200
201 x86 and x86_64 now have seperate atomic locking implementations.
202
203 named-checkconf now validates update-policy entries.
204
205 Attempt to make the amount of work performed in a iteration
206 self tuning. The covers nodes clean from the cache per
207 iteration, nodes written to disk when rewriting a master
208 file and nodes destroyed per iteration when destroying a
209 zone or a cache.
210
211 ISC string copy API.
212
213 Automatic empty zone creation for D.F.IP6.ARPA and friends.
214 Note: RFC 1918 zones are not yet covered by this but are
215 likely to be in a future release.
216
217 New options: empty-server, empty-contact, empty-zones-enable
218 and disable-empty-zone.
219
220 dig now has a '-q queryname' and '+showsearch' options.
221
222 host/nslookup now continue (default)/fail on SERVFAIL.
223
224 dig now warns if 'RA' is not set in the answer when 'RD'
225 was set in the query. host/nslookup skip servers that fail
226 to set 'RA' when 'RD' is set unless a server is explicitly
227 set.
228
229 Integrate contibuted DLZ code into named.
230
231 Integrate contibuted IDN code from JPNIC.
232
233 libbind: corresponds to that from BIND 8.4.7.
234
235BIND 9.3.0
236
237 BIND 9.3.0 has a number of new features over 9.2,
238 including:
239
240 DNSSEC is now DS based (RFC 3658).
241 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
242
243 DNSSEC lookaside validation.
244
245 check-names is now implemented.
246 rrset-order in more complete.
247
248 IPv4/IPv6 transition support, dual-stack-servers.
249
250 IXFR deltas can now be generated when loading master files,
251 ixfr-from-differences.
252
253 It is now possible to specify the size of a journal, max-journal-size.
254
255 It is now possible to define a named set of master servers to be
256 used in masters clause, masters.
257
258 The advertised EDNS UDP size can now be set, edns-udp-size.
259
260 allow-v6-synthesis has been obsoleted.
261
262 NOTE:
263 * Zones containing MD and MF will now be rejected.
264 * dig, nslookup name. now report "Not Implemented" as
265 NOTIMP rather than NOTIMPL. This will have impact on scripts
266 that are looking for NOTIMPL.
267
268 libbind: corresponds to that from BIND 8.4.5.
269
270BIND 9.2.0
271
272 BIND 9.2.0 has a number of new features over 9.1,
273 including:
274
275 - The size of the cache can now be limited using the
276 "max-cache-size" option.
277
278 - The server can now automatically convert RFC1886-style
279 recursive lookup requests into RFC2874-style lookups,
280 when enabled using the new option "allow-v6-synthesis".
281 This allows stub resolvers that support AAAA records
282 but not A6 record chains or binary labels to perform
283 lookups in domains that make use of these IPv6 DNS
284 features.
285
286 - Performance has been improved.
287
288 - The man pages now use the more portable "man" macros
289 rather than the "mandoc" macros, and are installed
290 by "make install".
291
292 - The named.conf parser has been completely rewritten.
293 It now supports "include" directives in more
294 places such as inside "view" statements, and it no
295 longer has any reserved words.
296
297 - The "rndc status" command is now implemented.
298
299 - rndc can now be configured automatically.
300
301 - A BIND 8 compatible stub resolver library is now
302 included in lib/bind.
303
304 - OpenSSL has been removed from the distribution. This
305 means that to use DNSSEC, OpenSSL must be installed and
306 the --with-openssl option must be supplied to configure.
307 This does not apply to the use of TSIG, which does not
308 require OpenSSL.
309
310 - The source distribution now builds on Windows.
311 See win32utils/readme1.txt and win32utils/win32-build.txt
312 for details.
313
314 This distribution also includes a new lightweight stub
315 resolver library and associated resolver daemon that fully
316 support forward and reverse lookups of both IPv4 and IPv6
317 addresses. This library is considered experimental and
318 is not a complete replacement for the BIND 8 resolver library.
319 Applications that use the BIND 8 res_* functions to perform
320 DNS lookups or dynamic updates still need to be linked against
321 the BIND 8 libraries. For DNS lookups, they can also use the
322 new "getrrsetbyname()" API.
323
324 BIND 9.2 is capable of acting as an authoritative server
325 for DNSSEC secured zones. This functionality is believed to
326 be stable and complete except for lacking support for
327 verifications involving wildcard records in secure zones.
328
329 When acting as a caching server, BIND 9.2 can be configured
330 to perform DNSSEC secure resolution on behalf of its clients.
331 This part of the DNSSEC implementation is still considered
332 experimental. For detailed information about the state of the
333 DNSSEC implementation, see the file doc/misc/dnssec.
334
335 There are a few known bugs:
336
337 On some systems, IPv6 and IPv4 sockets interact in
338 unexpected ways. For details, see doc/misc/ipv6.
339 To reduce the impact of these problems, the server
340 no longer listens for requests on IPv6 addresses
341 by default. If you need to accept DNS queries over
342 IPv6, you must specify "listen-on-v6 { any; };"
343 in the named.conf options statement.
344
345 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
346 and OpenBSD prior to 2.8 log messages like
347 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
348 This is due to a bug in "/dev/random" and impacts the
349 server's DNSSEC support.
350
351 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
352 OS X 10.2 (Darwin 6.0) reports errors like
353 "fcntl(3, F_SETFL, 4): Operation not supported by device".
354 This is due to a bug in "/dev/random" and impacts the
355 server's DNSSEC support.
356
357 --with-libtool does not work on AIX.
358
359 A bug in some versions of the Microsoft DNS server can cause zone
360 transfers from a BIND 9 server to a W2K server to fail. For details,
361 see the "Zone Transfers" section in doc/misc/migration.
362
363 For a detailed list of user-visible changes from
364 previous releases, see the CHANGES file.
365
366
367Building
368
369 BIND 9 currently requires a UNIX system with an ANSI C compiler,
370 basic POSIX support, and a 64 bit integer type.
371
372 We've had successful builds and tests on the following systems:
373
374 COMPAQ Tru64 UNIX 5.1B
375 Fedora Core 6
376 FreeBSD 4.10, 5.2.1, 6.2
377 HP-UX 11.11
378 Mac OS X 10.5
379 NetBSD 3.x and 4.0-beta
380 OpenBSD 3.3 and up
381 Solaris 8, 9, 9 (x86), 10
382 Ubuntu 7.04, 7.10
383 Windows XP/2003/2008
384
385 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
386 Windows, including Windows NT and Windows 2000, are no longer
387 supported.
388
389 We have recent reports from the user community that a supported
390 version of BIND will build and run on the following systems:
391
392 AIX 4.3, 5L
393 CentOS 4, 4.5, 5
394 Darwin 9.0.0d1/ARM
395 Debian 4
396 Fedora Core 5, 7
397 FreeBSD 6.1
398 HP-UX 11.23 PA
399 MacOS X 10.4, 10.5
400 Red Hat Enterprise Linux 4, 5
401 SCO OpenServer 5.0.6
402 Slackware 9, 10
403 SuSE 9, 10
404
405 To build, just
406
407 ./configure
408 make
409
410 Do not use a parallel "make".
411
412 Several environment variables that can be set before running
413 configure will affect compilation:
414
415 CC
416 The C compiler to use. configure tries to figure
417 out the right one for supported systems.
418
419 CFLAGS
420 C compiler flags. Defaults to include -g and/or -O2
421 as supported by the compiler.
422
423 STD_CINCLUDES
424 System header file directories. Can be used to specify
425 where add-on thread or IPv6 support is, for example.
426 Defaults to empty string.
427
428 STD_CDEFINES
429 Any additional preprocessor symbols you want defined.
430 Defaults to empty string.
431
432 Possible settings:
433 Change the default syslog facility of named/lwresd.
434 -DISC_FACILITY=LOG_LOCAL0
435 Enable DNSSEC signature chasing support in dig.
436 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
437 -DDIG_SIGCHASE_BU=1)
438 Disable dropping queries from particular well known ports.
439 -DNS_CLIENT_DROPPORT=0
440 Sibling glue checking in named-checkzone is enabled by default.
441 To disable the default check set. -DCHECK_SIBLING=0
442 named-checkzone checks out-of-zone addresses by default.
443 To disable this default set. -DCHECK_LOCAL=0
444 Enable workaround for Solaris kernel bug about /dev/poll
445 -DISC_SOCKET_USE_POLLWATCH=1
446 The watch timeout is also configurable, e.g.,
447 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
448
449 LDFLAGS
450 Linker flags. Defaults to empty string.
451
452 The following need to be set when cross compiling.
453
454 BUILD_CC
455 The native C compiler.
456 BUILD_CFLAGS (optional)
457 BUILD_CPPFLAGS (optional)
458 Possible Settings:
459 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
460 BUILD_LDFLAGS (optional)
461 BUILD_LIBS (optional)
462
463 To build shared libraries, specify "--with-libtool" on the
464 configure command line.
465
466 For the server to support DNSSEC, you need to build it
467 with crypto support. You must have OpenSSL 0.9.5a
468 or newer installed and specify "--with-openssl" on the
469 configure command line. If OpenSSL is installed under
470 a nonstandard prefix, you can tell configure where to
471 look for it using "--with-openssl=/prefix".
472
473 To build libbind (the BIND 8 resolver library), specify
474 "--enable-libbind" on the configure command line.
475
476 On some platforms it is necessary to explictly request large
477 file support to handle files bigger than 2GB. This can be
478 done by "--enable-largefile" on the configure command line.
479
480 On some platforms, BIND 9 can be built with multithreading
481 support, allowing it to take advantage of multiple CPUs.
482 You can specify whether to build a multithreaded BIND 9
483 by specifying "--enable-threads" or "--disable-threads"
484 on the configure command line. The default is operating
485 system dependent.
486
487 Support for the "fixed" rrset-order option can be enabled
488 or disabled by specifying "--enable-fixed-rrset" or
489 "--disable-fixed-rrset" on the configure command line.
490 The default is "disabled", to reduce memory footprint.
491
492 If your operating system has integrated support for IPv6, it
493 will be used automatically. If you have installed KAME IPv6
494 separately, use "--with-kame[=PATH]" to specify its location.
495
496 "make install" will install "named" and the various BIND 9 libraries.
497 By default, installation is into /usr/local, but this can be changed
498 with the "--prefix" option when running "configure".
499
500 You may specify the option "--sysconfdir" to set the directory
501 where configuration files like "named.conf" go by default,
502 and "--localstatedir" to set the default parent directory
503 of "run/named.pid". For backwards compatibility with BIND 8,
504 --sysconfdir defaults to "/etc" and --localstatedir defaults to
505 "/var" if no --prefix option is given. If there is a --prefix
506 option, sysconfdir defaults to "$prefix/etc" and localstatedir
507 defaults to "$prefix/var".
508
509 To see additional configure options, run "configure --help".
510 Note that the help message does not reflect the BIND 8
511 compatibility defaults for sysconfdir and localstatedir.
512
513 If you're planning on making changes to the BIND 9 source, you
514 should also "make depend". If you're using Emacs, you might find
515 "make tags" helpful.
516
517 If you need to re-run configure please run "make distclean" first.
518 This will ensure that all the option changes take.
519
520 Building with gcc is not supported, unless gcc is the vendor's usual
521 compiler (e.g. the various BSD systems, Linux).
522
523 Known compiler issues:
524 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
525 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
526 * gcc-3.3.5 powerpc generates incorrect code at -02.
527 * Irix, MipsPRO 7.4.1m is known to cause problems.
528
529 A limited test suite can be run with "make test". Many of
530 the tests require you to configure a set of virtual IP addresses
531 on your system, and some require Perl; see bin/tests/system/README
532 for details.
533
534 SunOS 4 requires "printf" to be installed to make the shared
535 libraries. sh-utils-1.16 provides a "printf" which compiles
536 on SunOS 4.
537
538Documentation
539
540 The BIND 9 Administrator Reference Manual is included with the
541 source distribution in DocBook XML and HTML format, in the
542 doc/arm directory.
543
544 Some of the programs in the BIND 9 distribution have man pages
545 in their directories. In particular, the command line
546 options of "named" are documented in /bin/named/named.8.
547 There is now also a set of man pages for the lwres library.
548
549 If you are upgrading from BIND 8, please read the migration
550 notes in doc/misc/migration. If you are upgrading from
551 BIND 4, read doc/misc/migration-4to9.
552
553 Frequently asked questions and their answers can be found in
554 FAQ.
555
556
557Bug Reports and Mailing Lists
558
559 Bugs reports should be sent to
560
561 bind9-bugs@isc.org
562
563 To join the BIND Users mailing list, send mail to
564
565 bind-users-request@isc.org
566
567 archives of which can be found via
568
569 http://www.isc.org/ops/lists/
570
571 If you're planning on making changes to the BIND 9 source
572 code, you might want to join the BIND Workers mailing list.
573 Send mail to
574
575 bind-workers-request@isc.org
576
577