bind9/README


BIND 9

	BIND version 9 is a major rewrite of nearly all aspects of the
	underlying BIND architecture. This re-architecting of BIND was
	necessitated by the expected demands of:

		- Domain name system growth, particularly in very large
		  zones such as .COM
		- Protocol enhancements necessary to securely query and
		  update zones
		- Protocol enhancements necessary to take advantage of
		  certain architectural features of IP version 6

	These demands implied performance requirements that were not
	necessarily easy to attain with the BIND version 8
	architecture.  In particular, BIND must not only be able to
	run on multi-processor multi-threaded systems, but must take
	full advantage of the performance enhancements these
	architectures can provide. In addition, the underlying data
	storage architecture of BIND version 8 does not lend itself to
	implementing alternative back end databases, such as would be
	desirable for the support of multi-gigabyte zones. As such
	zones are easily foreseeable in the relatively near future,
	the data storage architecture needed revision. The feature
	requirements for BIND version 9 included:

		- Scalability
			Thread safety
		        Multi-processor scalability
		        Support for very large zones

		- Security
		        Support for DNSSEC
		        Support for TSIG
		        Auditability (code and operation)
		        Firewall support (split DNS)

		- Portability

		- Maintainability

		- Protocol Enhancements
		        IXFR, DDNS, Notify, EDNS0
		        Improved standards conformance

		- Operational enhancements
		        High availability and reliability
		        Support for alternative back end databases

		- IP version 6 support
		        IPv6 resource records (A6, DNAME, etc.)
		        Bitstring labels
		        APIs

	BIND version 9 development has been underwritten by the following
	organizations:

	        Sun Microsystems, Inc.
	        Hewlett Packard
	        Compaq Computer Corporation
	        IBM
	        Process Software Corporation
	        Silicon Graphics, Inc.
	        Network Associates, Inc.
	        U.S. Defense Information Systems Agency
		USENIX Association
		Stichting NLnet - NLnet Foundation


BIND 9.1.0a1

	This is an unreleased alpha version of BIND 9.1.0.

	For a detailed list of user-visible changes from
	previous releases, see the CHANGES file.	


Building

	BIND 9 currently requires a UNIX system with an ANSI C compiler,
	basic POSIX support, and a good pthreads implementation.

	We've had successful builds and tests on the following systems:

		AIX 4.3
		COMPAQ Tru64 UNIX 4.0D
                COMPAQ Tru64 UNIX 5 (with IPv6 EAK)
		FreeBSD 3.4-STABLE
		HP-UX 11
		IRIX64 6.5
		NetBSD-current (with "unproven" pthreads)
		Red Hat Linux 6.0, 6.1, 6.2
		Solaris 2.6, 7, 8 (beta)

	To build, just

		./configure
		make

        Several environment variables that can be set before running
        configure will affect compilation:

            CC
                The C compiler to use.  configure tries to figure
                out the right one for supported systems.

            CFLAGS
                C compiler flags.  Defaults to include -g and/or -O2
                as supported by the compiler.

            STD_CINCLUDES
                System header file directories.  Can be used to specify
                where add-on thread or IPv6 support is, for example.
                Defaults to empty string.

            STD_CDEFINES
                Any additional preprocessor symbols you want defined.
                Defaults to empty string.

        To build shared libraries, specify "--with-libtool" on the
	configure command line.

	If your operating system has integrated support for IPv6, it
	will be used automatically.  If you have installed KAME IPv6
	separately, use "--with-kame[=PATH]" to specify its location.
	
        To see additional configure options, run "configure --help".

	"make install" will install "named" and the various BIND 9 libraries.
	By default, installation is into /usr/local, but this can be changed
	with the "--prefix" option when running "configure".

	If you're planning on making changes to the BIND 9 source, you
	should also "make depend".  If you're using Emacs, you might find
	"make tags" helpful.

	Building with gcc is not supported, unless gcc is the vendor's usual
	compiler (e.g. the various BSD systems, Linux).

	Parts of the library can be tested by running "make test" from the
	bin/tests subdirectory.


Bug Reports and Mailing Lists

	Bugs reports should be sent to

		bind9-bugs@isc.org

	To join the BIND 9 Users mailing list, send mail to

		bind9-users-request@isc.org

	If you're planning on making changes to the BIND 9 source
	code, you might want to join the BIND 9 Workers mailing list.
	Send mail to

		bind9-workers-request@isc.org


"named" command line options

	-c <config_file>

	-d <debug_level>

	-f				Run in the foreground.

	-g				Run in the foreground and log
					to stderr, ignoring any "logging"
					statement in in the config file.

	-n <number_of_cpus>		

	-t <directory>			Chroot to <directory> before running.

	-u <username>			Run as user <username> after binding
					to privileged ports.

	Use of the "-t" option while still running as "root" doesn't
	enhance security on most systems.  The way chroot() is defined
	allows a process with root privileges to escape the chroot jail.

	The "-u" option is not currently useful on Linux kernels older
	than 2.3.99-pre3.  Linux threads are actually processes sharing a
	common address space.  An unfortunate side effect of this is that
	some system calls, e.g. setuid() that in a typical pthreads
	environment would affect all threads only affect the calling
	thread/process on Linux.  The good news is that BIND 9 uses the
	Linux kernel's capability mechanism to drop all root powers except
	the ability to bind() to a privileged port.  2.3.99-pre3 and later
	kernels allow a process to say that its capabilities should be
	retained after setuid().  If BIND 9 is compiled with 2.3.99-pre3 or
	later kernel .h files, the "-u" option will cause the server to
	run with the specified user id, but it will retain the capability
	to bind() to privileged ports.

	On systems with more than one CPU, the "-n" option should be used
	to indicate how many CPUs there are.  If the "-n" option is not
	provided, named will attempt to determine the number of available
	CPUs and use all of them.
add 1999-02-01 21:07:21 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`BIND 9`
update 1999-05-03 16:52:18 -04:00
checkpoint 2000-02-04 17:54:46 -05:00			`BIND version 9 is a major rewrite of nearly all aspects of the`
			`underlying BIND architecture. This re-architecting of BIND was`
			`necessitated by the expected demands of:`

			`- Domain name system growth, particularly in very large`
			`zones such as .COM`
			`- Protocol enhancements necessary to securely query and`
			`update zones`
			`- Protocol enhancements necessary to take advantage of`
			`certain architectural features of IP version 6`

			`These demands implied performance requirements that were not`
			`necessarily easy to attain with the BIND version 8`
			`architecture. In particular, BIND must not only be able to`
			`run on multi-processor multi-threaded systems, but must take`
			`full advantage of the performance enhancements these`
			`architectures can provide. In addition, the underlying data`
			`storage architecture of BIND version 8 does not lend itself to`
			`implementing alternative back end databases, such as would be`
			`desirable for the support of multi-gigabyte zones. As such`
			`zones are easily foreseeable in the relatively near future,`
			`the data storage architecture needed revision. The feature`
			`requirements for BIND version 9 included:`

			`- Scalability`
			`Thread safety`
			`Multi-processor scalability`
			`Support for very large zones`

			`- Security`
			`Support for DNSSEC`
			`Support for TSIG`
			`Auditability (code and operation)`
			`Firewall support (split DNS)`

			`- Portability`

			`- Maintainability`

			`- Protocol Enhancements`
			`IXFR, DDNS, Notify, EDNS0`
			`Improved standards conformance`

			`- Operational enhancements`
			`High availability and reliability`
			`Support for alternative back end databases`

			`- IP version 6 support`
			`IPv6 resource records (A6, DNAME, etc.)`
			`Bitstring labels`
			`APIs`

			`BIND version 9 development has been underwritten by the following`
			`organizations:`

			`Sun Microsystems, Inc.`
			`Hewlett Packard`
			`Compaq Computer Corporation`
			`IBM`
			`Process Software Corporation`
			`Silicon Graphics, Inc.`
			`Network Associates, Inc.`
			`U.S. Defense Information Systems Agency`
add missing underwriters 2000-02-04 20:14:42 -05:00			`USENIX Association`
			`Stichting NLnet - NLnet Foundation`
update 1999-05-03 16:52:18 -04:00

updated and edited to be appropriate for mainline 2000-06-28 13:44:56 -04:00			`BIND 9.1.0a1`
update 1999-05-03 16:52:18 -04:00
updated and edited to be appropriate for mainline 2000-06-28 13:44:56 -04:00			`This is an unreleased alpha version of BIND 9.1.0.`
update 1999-05-03 16:52:18 -04:00
updated and edited to be appropriate for mainline 2000-06-28 13:44:56 -04:00			`For a detailed list of user-visible changes from`
			`previous releases, see the CHANGES file.`
checkpoint 2000-02-04 17:54:46 -05:00
update 1999-05-03 16:52:18 -04:00
			`Building`

checkpoint 2000-02-04 13:12:43 -05:00			`BIND 9 currently requires a UNIX system with an ANSI C compiler,`
			`basic POSIX support, and a good pthreads implementation.`

added section for platforms other people report to us as working 2000-06-05 20:34:55 -04:00			`We've had successful builds and tests on the following systems:`
checkpoint 2000-02-04 13:03:07 -05:00
			`AIX 4.3`
			`COMPAQ Tru64 UNIX 4.0D`
updated and edited to be appropriate for mainline 2000-06-28 13:44:56 -04:00			`COMPAQ Tru64 UNIX 5 (with IPv6 EAK)`
add FreeBSD 2000-02-09 14:27:55 -05:00			`FreeBSD 3.4-STABLE`
checkpoint 2000-02-04 13:03:07 -05:00			`HP-UX 11`
			`IRIX64 6.5`
updated and edited to be appropriate for mainline 2000-06-28 13:44:56 -04:00			`NetBSD-current (with "unproven" pthreads)`
RH 6.2 works 2000-04-17 13:53:52 -04:00			`Red Hat Linux 6.0, 6.1, 6.2`
checkpoint 2000-02-04 13:03:07 -05:00			`Solaris 2.6, 7, 8 (beta)`

			`To build, just`

			`./configure`
			`make`

document CC/CFLAGS/STD_CINCLUDES/STD_CDEFINES for configure 2000-04-04 16:56:00 -04:00			`Several environment variables that can be set before running`
			`configure will affect compilation:`

			`CC`
			`The C compiler to use. configure tries to figure`
			`out the right one for supported systems.`

			`CFLAGS`
			`C compiler flags. Defaults to include -g and/or -O2`
			`as supported by the compiler.`

			`STD_CINCLUDES`
			`System header file directories. Can be used to specify`
			`where add-on thread or IPv6 support is, for example.`
			`Defaults to empty string.`

			`STD_CDEFINES`
			`Any additional preprocessor symbols you want defined.`
			`Defaults to empty string.`

clarified documentation on configure options; removed the mention of --with-mit-pthreads as this option no longer exists, and of --with-ptl2 as this option is for experimental use only 2000-05-12 15:34:20 -04:00			`To build shared libraries, specify "--with-libtool" on the`
			`configure command line.`

reworded --with-kame explanation 2000-05-12 15:42:25 -04:00			`If your operating system has integrated support for IPv6, it`
			`will be used automatically. If you have installed KAME IPv6`
			`separately, use "--with-kame[=PATH]" to specify its location.`
clarified documentation on configure options; removed the mention of --with-mit-pthreads as this option no longer exists, and of --with-ptl2 as this option is for experimental use only 2000-05-12 15:34:20 -04:00
			`To see additional configure options, run "configure --help".`
[RT #105] note availability of --with-kame, --with-mit-pthreads & --with-ptl2. also briefly point to the tests programs built with make all_tests in bin/tests. 2000-05-12 14:12:47 -04:00
checkpoint 2000-02-04 13:03:07 -05:00			`"make install" will install "named" and the various BIND 9 libraries.`
			`By default, installation is into /usr/local, but this can be changed`
			`with the "--prefix" option when running "configure".`

suggest that developers make the depend target 2000-02-24 16:12:05 -05:00			`If you're planning on making changes to the BIND 9 source, you`
			`should also "make depend". If you're using Emacs, you might find`
			`"make tags" helpful.`

checkpoint 2000-02-04 13:03:07 -05:00			`Building with gcc is not supported, unless gcc is the vendor's usual`
			`compiler (e.g. the various BSD systems, Linux).`

add "make test" info 2000-02-04 18:09:41 -05:00			`Parts of the library can be tested by running "make test" from the`
don't encourage people to use the tests built by 'make all_tests'; we don't even use them ourselves and they are likely to simply not work at this point 2000-05-22 15:21:14 -04:00			`bin/tests subdirectory.`

checkpoint 2000-02-04 13:03:07 -05:00
			`Bug Reports and Mailing Lists`

			`Bugs reports should be sent to`

			`bind9-bugs@isc.org`

			`To join the BIND 9 Users mailing list, send mail to`

			`bind9-users-request@isc.org`

			`If you're planning on making changes to the BIND 9 source`
			`code, you might want to join the BIND 9 Workers mailing list.`
			`Send mail to`

			`bind9-workers-request@isc.org`

add 1999-02-01 21:07:21 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`"named" command line options`
add 1999-02-01 21:07:21 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`-c <config_file>`
add 1999-02-01 21:07:21 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`-d <debug_level>`
add 1999-02-01 21:07:21 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`-f Run in the foreground.`
add 1999-02-01 21:07:21 -05:00
foreground mode with logging to stderr is now -g, not -ff 2000-02-29 13:37:14 -05:00			`-g Run in the foreground and log`
			`to stderr, ignoring any "logging"`
end sentence with period 2000-02-29 13:58:10 -05:00			`statement in in the config file.`
foreground mode with logging to stderr is now -g, not -ff 2000-02-29 13:37:14 -05:00
renamed -N option to -n for portability 2000-02-28 17:36:34 -05:00			`-n <number_of_cpus>`
add 1999-02-01 21:07:21 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`-t <directory> Chroot to <directory> before running.`
update 1999-05-03 16:52:18 -04:00
checkpoint 2000-02-04 13:03:07 -05:00			`-u <username> Run as user <username> after binding`
			`to privileged ports.`
update 1999-11-01 21:03:32 -05:00
checkpoint 2000-02-04 13:03:07 -05:00			`Use of the "-t" option while still running as "root" doesn't`
			`enhance security on most systems. The way chroot() is defined`
			`allows a process with root privileges to escape the chroot jail.`
update 1999-11-01 21:03:32 -05:00
Linux PR_SET_KEEPCAPS support 2000-04-11 14:51:19 -04:00			`The "-u" option is not currently useful on Linux kernels older`
			`than 2.3.99-pre3. Linux threads are actually processes sharing a`
			`common address space. An unfortunate side effect of this is that`
			`some system calls, e.g. setuid() that in a typical pthreads`
			`environment would affect all threads only affect the calling`
			`thread/process on Linux. The good news is that BIND 9 uses the`
			`Linux kernel's capability mechanism to drop all root powers except`
			`the ability to bind() to a privileged port. 2.3.99-pre3 and later`
			`kernels allow a process to say that its capabilities should be`
			`retained after setuid(). If BIND 9 is compiled with 2.3.99-pre3 or`
			`later kernel .h files, the "-u" option will cause the server to`
			`run with the specified user id, but it will retain the capability`
			`to bind() to privileged ports.`
update 1999-05-03 16:52:18 -04:00
renamed -N option to -n for portability 2000-02-28 17:36:34 -05:00			`On systems with more than one CPU, the "-n" option should be used`
without -n, we can probe for the number of CPUs 2000-06-23 17:52:55 -04:00			`to indicate how many CPUs there are. If the "-n" option is not`
			`provided, named will attempt to determine the number of available`
			`CPUs and use all of them.`
update 1999-05-03 16:52:18 -04:00