3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
47 BIND 9.3.4 is a security release.
51 BIND 9.3.3 is a maintenance release, containing fixes for
52 a number of bugs in 9.3.2.
56 BIND 9.3.2 is a maintenance release, containing fixes for
57 a number of bugs in 9.3.1.
59 libbind: corresponds to that from BIND 8.4.7-REL.
63 The following INSIST can be triggered with DNSSEC enabled.
65 resolver.c:762: INSIST(result != 0 || dns_rdataset_isassociated(event->rdataset) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig)) failed
67 We are still trying to isolate the cause. If you have core
68 dump please send a bug report to bind9-bugs@isc.org with
69 the location of the core, named executable and OS details.
71 Note: contrib/nanny contains a perl script to restart named
72 in the event of a INSIST/REQUIRE/ENSURE failure.
76 BIND 9.3.1 is a maintenance release, containing fixes for
77 a number of bugs in 9.3.0.
79 libbind: corresponds to that from BIND 8.4.6-REL.
83 BIND 9.3.0 has a number of new features over 9.2,
86 DNSSEC is now DS based (RFC 3658).
87 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
89 DNSSEC lookaside validation.
91 check-names is now implemented.
92 rrset-order in more complete.
94 IPv4/IPv6 transition support, dual-stack-servers.
96 IXFR deltas can now be generated when loading master files,
97 ixfr-from-differences.
99 It is now possible to specify the size of a journal, max-journal-size.
101 It is now possible to define a named set of master servers to be
102 used in masters clause, masters.
104 The advertised EDNS UDP size can now be set, edns-udp-size.
106 allow-v6-synthesis has been obsoleted.
109 * Zones containing MD and MF will now be rejected.
110 * dig, nslookup name. now report "Not Implemented" as
111 NOTIMP rather than NOTIMPL. This will have impact on scripts
112 that are looking for NOTIMPL.
114 libbind: corresponds to that from BIND 8.4.5.
118 BIND 9.2.0 has a number of new features over 9.1,
121 - The size of the cache can now be limited using the
122 "max-cache-size" option.
124 - The server can now automatically convert RFC1886-style
125 recursive lookup requests into RFC2874-style lookups,
126 when enabled using the new option "allow-v6-synthesis".
127 This allows stub resolvers that support AAAA records
128 but not A6 record chains or binary labels to perform
129 lookups in domains that make use of these IPv6 DNS
132 - Performance has been improved.
134 - The man pages now use the more portable "man" macros
135 rather than the "mandoc" macros, and are installed
138 - The named.conf parser has been completely rewritten.
139 It now supports "include" directives in more
140 places such as inside "view" statements, and it no
141 longer has any reserved words.
143 - The "rndc status" command is now implemented.
145 - rndc can now be configured automatically.
147 - A BIND 8 compatible stub resolver library is now
148 included in lib/bind.
150 - OpenSSL has been removed from the distribution. This
151 means that to use DNSSEC, OpenSSL must be installed and
152 the --with-openssl option must be supplied to configure.
153 This does not apply to the use of TSIG, which does not
156 - The source distribution now builds on Windows NT/2000.
157 See win32utils/readme1.txt and win32utils/win32-build.txt
160 This distribution also includes a new lightweight stub
161 resolver library and associated resolver daemon that fully
162 support forward and reverse lookups of both IPv4 and IPv6
163 addresses. This library is considered experimental and
164 is not a complete replacement for the BIND 8 resolver library.
165 Applications that use the BIND 8 res_* functions to perform
166 DNS lookups or dynamic updates still need to be linked against
167 the BIND 8 libraries. For DNS lookups, they can also use the
168 new "getrrsetbyname()" API.
170 BIND 9.2 is capable of acting as an authoritative server
171 for DNSSEC secured zones. This functionality is believed to
172 be stable and complete except for lacking support for
173 verifications involving wildcard records in secure zones.
175 When acting as a caching server, BIND 9.2 can be configured
176 to perform DNSSEC secure resolution on behalf of its clients.
177 This part of the DNSSEC implementation is still considered
178 experimental. For detailed information about the state of the
179 DNSSEC implementation, see the file doc/misc/dnssec.
181 There are a few known bugs:
183 On some systems, IPv6 and IPv4 sockets interact in
184 unexpected ways. For details, see doc/misc/ipv6.
185 To reduce the impact of these problems, the server
186 no longer listens for requests on IPv6 addresses
187 by default. If you need to accept DNS queries over
188 IPv6, you must specify "listen-on-v6 { any; };"
189 in the named.conf options statement.
191 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
192 and OpenBSD prior to 2.8 log messages like
193 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
194 This is due to a bug in "/dev/random" and impacts the
195 server's DNSSEC support.
197 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
198 OS X 10.2 (Darwin 6.0) reports errors like
199 "fcntl(3, F_SETFL, 4): Operation not supported by device".
200 This is due to a bug in "/dev/random" and impacts the
201 server's DNSSEC support.
203 --with-libtool does not work on AIX.
205 --with-libtool does not work on SunOS 4. configure
206 requires "printf" which is not available.
208 A bug in the Windows 2000 DNS server can cause zone transfers
209 from a BIND 9 server to a W2K server to fail. For details,
210 see the "Zone Transfers" section in doc/misc/migration.
212 For a detailed list of user-visible changes from
213 previous releases, see the CHANGES file.
218 BIND 9 currently requires a UNIX system with an ANSI C compiler,
219 basic POSIX support, and a 64 bit integer type.
221 We've had successful builds and tests on the following systems:
223 COMPAQ Tru64 UNIX 5.1B
228 Solaris 8, 9, 9 (x86)
229 Windows NT/2000/XP/2003
231 Additionally, we have unverified reports of success building
232 previous versions of BIND 9 from users of the following systems:
236 Slackware Linux 7.x, 8.0
238 Debian GNU/Linux 2.2 and 3.0
240 OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
244 Mac OS X 10.1, 10.3.8
251 Do not use a parallel "make".
253 Several environment variables that can be set before running
254 configure will affect compilation:
257 The C compiler to use. configure tries to figure
258 out the right one for supported systems.
261 C compiler flags. Defaults to include -g and/or -O2
262 as supported by the compiler.
265 System header file directories. Can be used to specify
266 where add-on thread or IPv6 support is, for example.
267 Defaults to empty string.
270 Any additional preprocessor symbols you want defined.
271 Defaults to empty string.
274 Change the default syslog facility of named/lwresd.
275 -DISC_FACILITY=LOG_LOCAL0
276 Enable DNSSEC signature chasing support in dig.
277 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
279 Disable dropping queries from particular well known ports.
280 -DNS_CLIENT_DROPPORT=0
283 Linker flags. Defaults to empty string.
285 The following need to be set when cross compiling.
288 The native C compiler.
289 BUILD_CFLAGS (optional)
290 BUILD_CPPFLAGS (optional)
292 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
293 BUILD_LDFLAGS (optional)
294 BUILD_LIBS (optional)
296 To build shared libraries, specify "--with-libtool" on the
297 configure command line.
299 For the server to support DNSSEC, you need to build it
300 with crypto support. You must have OpenSSL 0.9.5a
301 or newer installed and specify "--with-openssl" on the
302 configure command line. If OpenSSL is installed under
303 a nonstandard prefix, you can tell configure where to
304 look for it using "--with-openssl=/prefix".
306 To build libbind (the BIND 8 resolver library), specify
307 "--enable-libbind" on the configure command line.
309 On some platforms, BIND 9 can be built with multithreading
310 support, allowing it to take advantage of multiple CPUs.
311 You can specify whether to build a multithreaded BIND 9
312 by specifying "--enable-threads" or "--disable-threads"
313 on the configure command line. The default is operating
316 If your operating system has integrated support for IPv6, it
317 will be used automatically. If you have installed KAME IPv6
318 separately, use "--with-kame[=PATH]" to specify its location.
320 "make install" will install "named" and the various BIND 9 libraries.
321 By default, installation is into /usr/local, but this can be changed
322 with the "--prefix" option when running "configure".
324 You may specify the option "--sysconfdir" to set the directory
325 where configuration files like "named.conf" go by default,
326 and "--localstatedir" to set the default parent directory
327 of "run/named.pid". For backwards compatibility with BIND 8,
328 --sysconfdir defaults to "/etc" and --localstatedir defaults to
329 "/var" if no --prefix option is given. If there is a --prefix
330 option, sysconfdir defaults to "$prefix/etc" and localstatedir
331 defaults to "$prefix/var".
333 To see additional configure options, run "configure --help".
334 Note that the help message does not reflect the BIND 8
335 compatibility defaults for sysconfdir and localstatedir.
337 If you're planning on making changes to the BIND 9 source, you
338 should also "make depend". If you're using Emacs, you might find
341 If you need to re-run configure please run "make distclean" first.
342 This will ensure that all the option changes take.
344 Building with gcc is not supported, unless gcc is the vendor's usual
345 compiler (e.g. the various BSD systems, Linux).
347 Known compiler issues:
348 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
349 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
350 * gcc-3.3.5 powerpc generates incorrect code at -02.
351 * Irix, MipsPRO 7.4.1m is known to cause problems.
353 A limited test suite can be run with "make test". Many of
354 the tests require you to configure a set of virtual IP addresses
355 on your system, and some require Perl; see bin/tests/system/README
361 The BIND 9 Administrator Reference Manual is included with the
362 source distribution in DocBook XML and HTML format, in the
365 Some of the programs in the BIND 9 distribution have man pages
366 in their directories. In particular, the command line
367 options of "named" are documented in /bin/named/named.8.
368 There is now also a set of man pages for the lwres library.
370 If you are upgrading from BIND 8, please read the migration
371 notes in doc/misc/migration. If you are upgrading from
372 BIND 4, read doc/misc/migration-4to9.
374 Frequently asked questions and their answers can be found in
378 Bug Reports and Mailing Lists
380 Bugs reports should be sent to
384 To join the BIND Users mailing list, send mail to
386 bind-users-request@isc.org
388 archives of which can be found via
390 http://www.isc.org/ops/lists/
392 If you're planning on making changes to the BIND 9 source
393 code, you might want to join the BIND Workers mailing list.
396 bind-workers-request@isc.org