Additions to 'hammer pfs-*':
[dragonfly.git] / contrib / bind-9.3 / README
CommitLineData
f432fee4
VBD
1BIND 9
2
3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
5 BIND 9 are:
6
7 - DNS Security
8 DNSSEC (signed zones)
9 TSIG (signed DNS requests)
10
11 - IP version 6
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
15
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
19
20 - Views
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
24
25 - Multiprocessor Support
26
27 - Improved Portability Architecture
28
29
30 BIND version 9 development has been underwritten by the following
31 organizations:
32
33 Sun Microsystems, Inc.
34 Hewlett Packard
35 Compaq Computer Corporation
36 IBM
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
41 USENIX Association
42 Stichting NLnet - NLnet Foundation
43 Nominum, Inc.
44
03ab9703
MD
45BIND 9.3.4-P1
46
47 BIND 9.3.4-P1 is a security release.
48
194423db
VBD
49BIND 9.3.4
50
51 BIND 9.3.4 is a security release.
52
53BIND 9.3.3
54
55 BIND 9.3.3 is a maintenance release, containing fixes for
56 a number of bugs in 9.3.2.
f432fee4
VBD
57
58BIND 9.3.2
59
60 BIND 9.3.2 is a maintenance release, containing fixes for
61 a number of bugs in 9.3.1.
62
63 libbind: corresponds to that from BIND 8.4.7-REL.
64
65 Known Issues:
66
67 The following INSIST can be triggered with DNSSEC enabled.
68
69resolver.c:762: INSIST(result != 0 || dns_rdataset_isassociated(event->rdataset) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig)) failed
70
71 We are still trying to isolate the cause. If you have core
72 dump please send a bug report to bind9-bugs@isc.org with
73 the location of the core, named executable and OS details.
74
75 Note: contrib/nanny contains a perl script to restart named
76 in the event of a INSIST/REQUIRE/ENSURE failure.
77
78BIND 9.3.1
79
80 BIND 9.3.1 is a maintenance release, containing fixes for
81 a number of bugs in 9.3.0.
82
83 libbind: corresponds to that from BIND 8.4.6-REL.
84
85BIND 9.3.0
86
87 BIND 9.3.0 has a number of new features over 9.2,
88 including:
89
90 DNSSEC is now DS based (RFC 3658).
91 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
92
93 DNSSEC lookaside validation.
94
95 check-names is now implemented.
96 rrset-order in more complete.
97
98 IPv4/IPv6 transition support, dual-stack-servers.
99
100 IXFR deltas can now be generated when loading master files,
101 ixfr-from-differences.
102
103 It is now possible to specify the size of a journal, max-journal-size.
104
105 It is now possible to define a named set of master servers to be
106 used in masters clause, masters.
107
108 The advertised EDNS UDP size can now be set, edns-udp-size.
109
110 allow-v6-synthesis has been obsoleted.
111
112 NOTE:
113 * Zones containing MD and MF will now be rejected.
114 * dig, nslookup name. now report "Not Implemented" as
115 NOTIMP rather than NOTIMPL. This will have impact on scripts
116 that are looking for NOTIMPL.
117
118 libbind: corresponds to that from BIND 8.4.5.
119
120BIND 9.2.0
121
122 BIND 9.2.0 has a number of new features over 9.1,
123 including:
124
125 - The size of the cache can now be limited using the
126 "max-cache-size" option.
127
128 - The server can now automatically convert RFC1886-style
129 recursive lookup requests into RFC2874-style lookups,
130 when enabled using the new option "allow-v6-synthesis".
131 This allows stub resolvers that support AAAA records
132 but not A6 record chains or binary labels to perform
133 lookups in domains that make use of these IPv6 DNS
134 features.
135
136 - Performance has been improved.
137
138 - The man pages now use the more portable "man" macros
139 rather than the "mandoc" macros, and are installed
140 by "make install".
141
142 - The named.conf parser has been completely rewritten.
143 It now supports "include" directives in more
144 places such as inside "view" statements, and it no
145 longer has any reserved words.
146
147 - The "rndc status" command is now implemented.
148
149 - rndc can now be configured automatically.
150
151 - A BIND 8 compatible stub resolver library is now
152 included in lib/bind.
153
154 - OpenSSL has been removed from the distribution. This
155 means that to use DNSSEC, OpenSSL must be installed and
156 the --with-openssl option must be supplied to configure.
157 This does not apply to the use of TSIG, which does not
158 require OpenSSL.
159
160 - The source distribution now builds on Windows NT/2000.
161 See win32utils/readme1.txt and win32utils/win32-build.txt
162 for details.
163
164 This distribution also includes a new lightweight stub
165 resolver library and associated resolver daemon that fully
166 support forward and reverse lookups of both IPv4 and IPv6
167 addresses. This library is considered experimental and
168 is not a complete replacement for the BIND 8 resolver library.
169 Applications that use the BIND 8 res_* functions to perform
170 DNS lookups or dynamic updates still need to be linked against
171 the BIND 8 libraries. For DNS lookups, they can also use the
172 new "getrrsetbyname()" API.
173
174 BIND 9.2 is capable of acting as an authoritative server
175 for DNSSEC secured zones. This functionality is believed to
176 be stable and complete except for lacking support for
177 verifications involving wildcard records in secure zones.
178
179 When acting as a caching server, BIND 9.2 can be configured
180 to perform DNSSEC secure resolution on behalf of its clients.
181 This part of the DNSSEC implementation is still considered
182 experimental. For detailed information about the state of the
183 DNSSEC implementation, see the file doc/misc/dnssec.
184
185 There are a few known bugs:
186
187 On some systems, IPv6 and IPv4 sockets interact in
188 unexpected ways. For details, see doc/misc/ipv6.
189 To reduce the impact of these problems, the server
190 no longer listens for requests on IPv6 addresses
191 by default. If you need to accept DNS queries over
192 IPv6, you must specify "listen-on-v6 { any; };"
193 in the named.conf options statement.
194
195 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
196 and OpenBSD prior to 2.8 log messages like
197 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
198 This is due to a bug in "/dev/random" and impacts the
199 server's DNSSEC support.
200
201 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
202 OS X 10.2 (Darwin 6.0) reports errors like
203 "fcntl(3, F_SETFL, 4): Operation not supported by device".
204 This is due to a bug in "/dev/random" and impacts the
205 server's DNSSEC support.
206
207 --with-libtool does not work on AIX.
208
194423db
VBD
209 --with-libtool does not work on SunOS 4. configure
210 requires "printf" which is not available.
211
f432fee4
VBD
212 A bug in the Windows 2000 DNS server can cause zone transfers
213 from a BIND 9 server to a W2K server to fail. For details,
214 see the "Zone Transfers" section in doc/misc/migration.
215
216 For a detailed list of user-visible changes from
217 previous releases, see the CHANGES file.
218
219
220Building
221
222 BIND 9 currently requires a UNIX system with an ANSI C compiler,
223 basic POSIX support, and a 64 bit integer type.
224
225 We've had successful builds and tests on the following systems:
226
227 COMPAQ Tru64 UNIX 5.1B
228 FreeBSD 4.10, 5.2.1
229 HP-UX 11.11
230 NetBSD 1.5
231 Slackware Linux 8.1
232 Solaris 8, 9, 9 (x86)
233 Windows NT/2000/XP/2003
234
235 Additionally, we have unverified reports of success building
236 previous versions of BIND 9 from users of the following systems:
237
238 AIX 5L
239 SuSE Linux 7.0
240 Slackware Linux 7.x, 8.0
241 Red Hat Linux 7.1
242 Debian GNU/Linux 2.2 and 3.0
243 Mandrake 8.1
194423db 244 OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
f432fee4
VBD
245 UnixWare 7.1.1
246 HP-UX 10.20
247 BSD/OS 4.2
248 Mac OS X 10.1, 10.3.8
249
250 To build, just
251
252 ./configure
253 make
254
255 Do not use a parallel "make".
256
257 Several environment variables that can be set before running
258 configure will affect compilation:
259
260 CC
261 The C compiler to use. configure tries to figure
262 out the right one for supported systems.
263
264 CFLAGS
265 C compiler flags. Defaults to include -g and/or -O2
266 as supported by the compiler.
267
268 STD_CINCLUDES
269 System header file directories. Can be used to specify
270 where add-on thread or IPv6 support is, for example.
271 Defaults to empty string.
272
273 STD_CDEFINES
274 Any additional preprocessor symbols you want defined.
275 Defaults to empty string.
276
277 Possible settings:
278 Change the default syslog facility of named/lwresd.
279 -DISC_FACILITY=LOG_LOCAL0
280 Enable DNSSEC signature chasing support in dig.
281 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
282 -DDIG_SIGCHASE_BU=1)
194423db
VBD
283 Disable dropping queries from particular well known ports.
284 -DNS_CLIENT_DROPPORT=0
f432fee4
VBD
285
286 LDFLAGS
287 Linker flags. Defaults to empty string.
288
194423db
VBD
289 The following need to be set when cross compiling.
290
291 BUILD_CC
292 The native C compiler.
293 BUILD_CFLAGS (optional)
294 BUILD_CPPFLAGS (optional)
295 Possible Settings:
296 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
297 BUILD_LDFLAGS (optional)
298 BUILD_LIBS (optional)
299
f432fee4
VBD
300 To build shared libraries, specify "--with-libtool" on the
301 configure command line.
302
303 For the server to support DNSSEC, you need to build it
304 with crypto support. You must have OpenSSL 0.9.5a
305 or newer installed and specify "--with-openssl" on the
306 configure command line. If OpenSSL is installed under
307 a nonstandard prefix, you can tell configure where to
308 look for it using "--with-openssl=/prefix".
309
310 To build libbind (the BIND 8 resolver library), specify
311 "--enable-libbind" on the configure command line.
312
313 On some platforms, BIND 9 can be built with multithreading
314 support, allowing it to take advantage of multiple CPUs.
315 You can specify whether to build a multithreaded BIND 9
316 by specifying "--enable-threads" or "--disable-threads"
317 on the configure command line. The default is operating
318 system dependent.
319
320 If your operating system has integrated support for IPv6, it
321 will be used automatically. If you have installed KAME IPv6
322 separately, use "--with-kame[=PATH]" to specify its location.
323
324 "make install" will install "named" and the various BIND 9 libraries.
325 By default, installation is into /usr/local, but this can be changed
326 with the "--prefix" option when running "configure".
327
328 You may specify the option "--sysconfdir" to set the directory
329 where configuration files like "named.conf" go by default,
330 and "--localstatedir" to set the default parent directory
331 of "run/named.pid". For backwards compatibility with BIND 8,
332 --sysconfdir defaults to "/etc" and --localstatedir defaults to
333 "/var" if no --prefix option is given. If there is a --prefix
334 option, sysconfdir defaults to "$prefix/etc" and localstatedir
335 defaults to "$prefix/var".
336
337 To see additional configure options, run "configure --help".
338 Note that the help message does not reflect the BIND 8
339 compatibility defaults for sysconfdir and localstatedir.
340
341 If you're planning on making changes to the BIND 9 source, you
342 should also "make depend". If you're using Emacs, you might find
343 "make tags" helpful.
344
345 If you need to re-run configure please run "make distclean" first.
346 This will ensure that all the option changes take.
347
348 Building with gcc is not supported, unless gcc is the vendor's usual
349 compiler (e.g. the various BSD systems, Linux).
350
351 Known compiler issues:
352 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
353 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
354 * gcc-3.3.5 powerpc generates incorrect code at -02.
355 * Irix, MipsPRO 7.4.1m is known to cause problems.
356
357 A limited test suite can be run with "make test". Many of
358 the tests require you to configure a set of virtual IP addresses
359 on your system, and some require Perl; see bin/tests/system/README
360 for details.
361
362
363Documentation
364
365 The BIND 9 Administrator Reference Manual is included with the
366 source distribution in DocBook XML and HTML format, in the
367 doc/arm directory.
368
369 Some of the programs in the BIND 9 distribution have man pages
370 in their directories. In particular, the command line
371 options of "named" are documented in /bin/named/named.8.
372 There is now also a set of man pages for the lwres library.
373
374 If you are upgrading from BIND 8, please read the migration
375 notes in doc/misc/migration. If you are upgrading from
376 BIND 4, read doc/misc/migration-4to9.
377
378 Frequently asked questions and their answers can be found in
379 FAQ.
380
381
382Bug Reports and Mailing Lists
383
384 Bugs reports should be sent to
385
386 bind9-bugs@isc.org
387
388 To join the BIND Users mailing list, send mail to
389
390 bind-users-request@isc.org
391
392 archives of which can be found via
393
394 http://www.isc.org/ops/lists/
395
396 If you're planning on making changes to the BIND 9 source
397 code, you might want to join the BIND Workers mailing list.
398 Send mail to
399
400 bind-workers-request@isc.org
401
402