diff --git a/HISTORY b/HISTORY index c446aecb9c..e69de29bb2 100644 --- a/HISTORY +++ b/HISTORY @@ -1,279 +0,0 @@ -Functional enhancements from prior major releases of BIND 9 - -BIND 9.9.0 - -BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier -releases. New features include: - - * Inline signing, allowing automatic DNSSEC signing of master zones - without modification of the zonefile, or "bump in the wire" signing in - slaves. - * NXDOMAIN redirection. - * New 'rndc flushtree' command clears all data under a given name from - the DNS cache. - * New 'rndc sync' command dumps pending changes in a dynamic zone to - disk without a freeze/thaw cycle. - * New 'rndc signing' command displays or clears signing status records - in 'auto-dnssec' zones. - * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to - signing, eliminating the need to initially sign with NSEC. - * Startup time improvements on large authoritative servers. - * Slave zones are now saved in raw format by default. - * Several improvements to response policy zones (RPZ). - * Improved hardware scalability by using multiple threads to listen for - queries and using finer-grained client locking - * The 'also-notify' option now takes the same syntax as 'masters', so it - can used named masterlists and TSIG keys. - * 'dnssec-signzone -D' writes an output file containing only DNSSEC - data, which can be included by the primary zone file. - * 'dnssec-signzone -R' forces removal of signatures that are not expired - but were created by a key which no longer exists. - * 'dnssec-signzone -X' allows a separate expiration date to be specified - for DNSKEY signatures from other signatures. - * New '-L' option to dnssec-keygen, dnssec-settime, and - dnssec-keyfromlabel sets the default TTL for the key. - * dnssec-dsfromkey now supports reading from standard input, to make it - easier to convert DNSKEY to DS. - * RFC 1918 reverse zones have been added to the empty-zones table per - RFC 6303. - * Dynamic updates can now optionally set the zone's SOA serial number to - the current UNIX time. - * DLZ modules can now retrieve the source IP address of the querying - client. - * 'request-ixfr' option can now be set at the per-zone level. - * 'dig +rrcomments' turns on comments about DNSKEY records, indicating - their key ID, algorithm and function - * Simplified nsupdate syntax and added readline support - -BIND 9.8.0 - -BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier -releases. New features include: - - * Built-in trust anchor for the root zone, which can be switched on via - "dnssec-validation auto;" - * Support for DNS64. - * Support for response policy zones (RPZ). - * Support for writable DLZ zones. - * Improved ease of configuration of GSS/TSIG for interoperability with - Active Directory - * Support for GOST signing algorithm for DNSSEC. - * Removed RTT Banding from server selection algorithm. - * New "static-stub" zone type. - * Allow configuration of resolver timeouts via "resolver-query-timeout" - option. - * The DLZ "dlopen" driver is now built by default. - * Added a new include file with function typedefs for the DLZ "dlopen" - driver. - * Made "--with-gssapi" default. - * More verbose error reporting from DLZ LDAP. - -BIND 9.7.0 - -BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier -releases. Most are intended to simplify DNSSEC configuration. New features -include: - - * Fully automatic signing of zones by "named". - * Simplified configuration of DNSSEC Lookaside Validation (DLV). - * Simplified configuration of Dynamic DNS, using the "ddns-confgen" - command line tool or the "local" update-policy option. (As a side - effect, this also makes it easier to configure automatic zone - re-signing.) - * New named option "attach-cache" that allows multiple views to share a - single cache. - * DNS rebinding attack prevention. - * New default values for dnssec-keygen parameters. - * Support for RFC 5011 automated trust anchor maintenance - * Smart signing: simplified tools for zone signing and key maintenance. - * The "statistics-channels" option is now available on Windows. - * A new DNSSEC-aware libdns API for use by non-BIND9 applications - * On some platforms, named and other binaries can now print out a stack - backtrace on assertion failure, to aid in debugging. - * A "tools only" installation mode on Windows, which only installs dig, - host, nslookup and nsupdate. - * Improved PKCS#11 support, including Keyper support and explicit - OpenSSL engine selection. - -BIND 9.6.0 - - * Full NSEC3 support - * Automatic zone re-signing - * New update-policy methods tcp-self and 6to4-self - * The BIND 8 resolver library, libbind, has been removed from the BIND 9 - distribution and is now available as a separate download. - * Change the default pid file location from /var/run to /var/run/ - {named,lwresd} for improved chroot/setuid support. - -BIND 9.5.0 - - * GSS-TSIG support (RFC 3645). - * DHCID support. - * Experimental http server and statistics support for named via xml. - * More detailed statistics counters including those supported in BIND 8. - * Faster ACL processing. - * Use Doxygen to generate internal documentation. - * Efficient LRU cache-cleaning mechanism. - * NSID support. - -BIND 9.4.0 - - * Implemented "additional section caching (or acache)", an internal - cache framework for additional section content to improve response - performance. Several configuration options were provided to control - the behavior. - * New notify type 'master-only'. Enable notify for master zones only. - * Accept 'notify-source' style syntax for query-source. - * rndc now allows addresses to be set in the server clauses. - * New option "allow-query-cache". This lets "allow-query" be used to - specify the default zone access level rather than having to have every - zone override the global value. "allow-query-cache" can be set at both - the options and view levels. If "allow-query-cache" is not set then - "allow-recursion" is used if set, otherwise "allow-query" is used if - set unless "recursion no;" is set in which case "none;" is used, - otherwise the default (localhost; localnets;) is used. - * rndc: the source address can now be specified. - * ixfr-from-differences now takes master and slave in addition to yes - and no at the options and view levels. - * Allow the journal's name to be changed via named.conf. - * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the - specified zone. - * 'dig +trace' now randomly selects the next servers to try. Report if - there is a bad delegation. - * Improve check-names error messages. - * Make public the function to read a key file, dst_key_read_public(). - * dig now returns the byte count for axfr/ixfr. - * allow-update is now settable at the options / view level. - * named-checkconf now checks the logging configuration. - * host now can turn on memory debugging flags with '-m'. - * Don't send notify messages to self. - * Perform sanity checks on NS records which refer to 'in zone' names. - * New zone option "notify-delay". Specify a minimum delay between sets - of NOTIFY messages. - * Extend adjusting TTL warning messages. - * Named and named-checkzone can now both check for non-terminal wildcard - records. - * "rndc freeze/thaw" now freezes/thaws all zones. - * named-checkconf now check acls to verify that they only refer to - existing acls. - * The server syntax has been extended to support a range of servers. - * Report differences between hints and real NS rrset and associated - address records. - * Preserve the case of domain names in rdata during zone transfers. - * Restructured the data locking framework using architecture dependent - atomic operations (when available), improving response performance on - multi-processor machines significantly. x86, x86_64, alpha, powerpc, - and mips are currently supported. - * UNIX domain controls are now supported. - * Add support for additional zone file formats for improving loading - performance. The masterfile-format option in named.conf can be used to - specify a non-default format. A separate command named-compilezone was - provided to generate zone files in the new format. Additionally, the - -I and -O options for dnssec-signzone specify the input and output - formats. - * dnssec-signzone can now randomize signature end times (dnssec-signzone - -j jitter). - * Add support for CH A record. - * Add additional zone data constancy checks. named-checkzone has - extended checking of NS, MX and SRV record and the hosts they - reference. named has extended post zone load checks. New zone options: - check-mx and integrity-check. - * edns-udp-size can now be overridden on a per server basis. - * dig can now specify the EDNS version when making a query. - * Added framework for handling multiple EDNS versions. - * Additional memory debugging support to track size and mctx arguments. - * Detect duplicates of UDP queries we are recursing on and drop them. - New stats category "duplicates". - * "USE INTERNAL MALLOC" is now runtime selectable. - * The lame cache is now done on a basis as some servers only appear to - be lame for certain query types. - * Limit the number of recursive clients that can be waiting for a single - query () to resolve. New options clients-per-query and - max-clients-per-query. - * dig: report the number of extra bytes still left in the packet after - processing all the records. - * Support for IPSECKEY rdata type. - * Raise the UDP recieve buffer size to 32k if it is less than 32k. - * x86 and x86_64 now have seperate atomic locking implementations. - * named-checkconf now validates update-policy entries. - * Attempt to make the amount of work performed in a iteration self - tuning. The covers nodes clean from the cache per iteration, nodes - written to disk when rewriting a master file and nodes destroyed per - iteration when destroying a zone or a cache. - * ISC string copy API. - * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC - 1918 zones are not yet covered by this but are likely to be in a - future release. - * New options: empty-server, empty-contact, empty-zones-enable and - disable-empty-zone. - * dig now has a '-q queryname' and '+showsearch' options. - * host/nslookup now continue (default)/fail on SERVFAIL. - * dig now warns if 'RA' is not set in the answer when 'RD' was set in - the query. host/nslookup skip servers that fail to set 'RA' when 'RD' - is set unless a server is explicitly set. - * Integrate contibuted DLZ code into named. - * Integrate contibuted IDN code from JPNIC. - * libbind: corresponds to that from BIND 8.4.7. - -BIND 9.3.0 - - * DNSSEC is now DS based (RFC 3658). - * DNSSEC lookaside validation. - * check-names is now implemented. - * rrset-order is more complete. - * IPv4/IPv6 transition support, dual-stack-servers. - * IXFR deltas can now be generated when loading master files, - ixfr-from-differences. - * It is now possible to specify the size of a journal, max-journal-size. - * It is now possible to define a named set of master servers to be used - in masters clause, masters. - * The advertised EDNS UDP size can now be set, edns-udp-size. - * allow-v6-synthesis has been obsoleted. - * Zones containing MD and MF will now be rejected. - * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than - NOTIMPL. This will have impact on scripts that are looking for - NOTIMPL. - * libbind: corresponds to that from BIND 8.4.5. - -BIND 9.2.0 - - * The size of the cache can now be limited using the "max-cache-size" - option. - * The server can now automatically convert RFC1886-style recursive - lookup requests into RFC2874-style lookups, when enabled using the new - option "allow-v6-synthesis". This allows stub resolvers that support - AAAA records but not A6 record chains or binary labels to perform - lookups in domains that make use of these IPv6 DNS features. - * Performance has been improved. - * The man pages now use the more portable "man" macros rather than the - "mandoc" macros, and are installed by "make install". - * The named.conf parser has been completely rewritten. It now supports - "include" directives in more places such as inside "view" statements, - and it no longer has any reserved words. - * The "rndc status" command is now implemented. - * rndc can now be configured automatically. - * A BIND 8 compatible stub resolver library is now included in lib/bind. - * OpenSSL has been removed from the distribution. This means that to use - DNSSEC, OpenSSL must be installed and the --with-openssl option must - be supplied to configure. This does not apply to the use of TSIG, - which does not require OpenSSL. - * The source distribution now builds on Windows. See win32utils/ - readme1.txt and win32utils/win32-build.txt for details. - * This distribution also includes a new lightweight stub resolver - library and associated resolver daemon that fully support forward and - reverse lookups of both IPv4 and IPv6 addresses. This library is - considered experimental and is not a complete replacement for the BIND - 8 resolver library. Applications that use the BIND 8 res_* functions - to perform DNS lookups or dynamic updates still need to be linked - against the BIND 8 libraries. For DNS lookups, they can also use the - new "getrrsetbyname()" API. - * BIND 9.2 is capable of acting as an authoritative server for DNSSEC - secured zones. This functionality is believed to be stable and - complete except for lacking support for verifications involving - wildcard records in secure zones. - * When acting as a caching server, BIND 9.2 can be configured to perform - DNSSEC secure resolution on behalf of its clients. This part of the - DNSSEC implementation is still considered experimental. For detailed - information about the state of the DNSSEC implementation, see the file - doc/misc/dnssec. - diff --git a/OPTIONS b/OPTIONS index 0be74b7aac..e69de29bb2 100644 --- a/OPTIONS +++ b/OPTIONS @@ -1,25 +0,0 @@ -Setting the STD_CDEFINES environment variable before running configure can -be used to enable certain compile-time options that are not explicitly -defined in configure. - -Some of these settings are: - -Setting Description - Don't ovewrite memory when allocating or freeing --DISC_MEM_FILL=0 it; this improves performance but makes - debugging more difficult. - Don't track memory allocations by file and line --DISC_MEM_TRACKLINES=0 number; this improves performance but makes - debugging more difficult. --DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named --DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular - well-known ports: --DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone --DCHECK_LOCAL=0 Don't check out-of-zone addresses in - named-checkzone --DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run - rather than ${localstatedir}/run/{named,lwresd}/ - Enable DNSSEC signature chasing support in dig. --DDIG_SIGCHASE=1 (Note: This feature is deprecated. Use delv - instead.) - diff --git a/README b/README index 1c699cece5..e69de29bb2 100644 --- a/README +++ b/README @@ -1,466 +0,0 @@ -BIND 9 - -Contents - - 1. Introduction - 2. Reporting bugs and getting help - 3. Contributing to BIND - 4. BIND 9.10 features - 5. Building BIND - 6. Compile-time options - 7. Automated testing - 8. Documentation - 9. Change log -10. Acknowledgments - -Introduction - -BIND (Berkeley Internet Name Domain) is a complete, highly portable -implementation of the DNS (Domain Name System) protocol. - -The BIND name server, named, is able to serve as an authoritative name -server, recursive resolver, DNS forwarder, or all three simultaneously. It -implements views for split-horizon DNS, automatic DNSSEC zone signing and -key management, catalog zones to facilitate provisioning of zone data -throughout a name server constellation, response policy zones (RPZ) to -protect clients from malicious data, response rate limiting (RRL) and -recursive query limits to reduce distributed denial of service attacks, -and many other advanced DNS features. BIND also includes a suite of -administrative tools, including the dig and delv DNS lookup tools, -nsupdate for dynamic DNS zone updates, rndc for remote name server -administration, and more. - -BIND 9 is a complete re-write of the BIND architecture that was used in -versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501 -(c)(3) public benefit corporation dedicated to providing software and -services in support of the Internet infrastructure, developed BIND 9 and -is responsible for its ongoing maintenance and improvement. BIND is open -source software licenced under the terms of the Mozilla Public License, -version 2.0. - -For a summary of features introduced in past major releases of BIND, see -the file HISTORY. - -For a detailed list of changes made throughout the history of BIND 9, see -the file CHANGES. See below for details on the CHANGES file format. - -For up-to-date release notes and errata, see http://www.isc.org/software/ -bind9/releasenotes - -Reporting bugs and getting help - -Please report assertion failure errors and suspected security issues to -security-officer@isc.org. - -General bug reports can be sent to bind9-bugs@isc.org. - -Feature requests can be sent to bind-suggest@isc.org. - -Please note that, while ISC's ticketing system is not currently publicly -readable, this may change in the future. Please do not include information -in bug reports that you consider to be confidential. For example, when -sending the contents of your configuration file, it is advisable to -obscure key secrets; this can be done automatically by using -named-checkconf -px. - -Professional support and training for BIND are available from ISC at -https://www.isc.org/support. - -To join the BIND Users mailing list, or view the archives, visit https:// -lists.isc.org/mailman/listinfo/bind-users. - -If you're planning on making changes to the BIND 9 source code, you may -also want to join the BIND Workers mailing list, at https://lists.isc.org/ -mailman/listinfo/bind-workers. - -Contributing to BIND - -A public git repository for BIND is maintained at http://www.isc.org/git/, -and also on Github at https://github.com/isc-projects. - -Information for BIND contributors can be found in the following files: - -General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/ -style.md - BIND architecture and developer guide: doc/dev/dev.md - -Patches for BIND may be submitted either as Github pull requests or via -email. When submitting a patch via email, please prepend the subject -header with "[PATCH]" so it will be easier for us to find. If your patch -introduces a new feature in BIND, please submit it to bind-suggest@isc.org -; if it fixes a bug, please submit it to bind9-bugs@isc.org. - -BIND 9.10 features - -BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier -releases. New features include: - - * DNS Response-rate limiting (DNS RRL), which blunts the impact of - reflection and amplification attacks, is always compiled in and no - longer requires a compile-time option to enable it. - * An experimental "Source Identity Token" (SIT) EDNS option is now - available. Similar to DNS Cookies as invented by Donald Eastlake 3rd, - these are designed to enable clients to detect off-path spoofed - responses, and to enable servers to detect spoofed-source queries. - Servers can be configured to send smaller responses to clients that - have not identified themselves using a SIT option, reducing the - effectiveness of amplification attacks. RRL processing has also been - updated; clients proven to be legitimate via SIT are not subject to - rate limiting. Use configure --enable-sit to enable this feature in - BIND. - * A new zone file format, map, stores zone data in a format that can be - mapped directly into memory, allowing significantly faster zone - loading. - * delv (domain entity lookup and validation) is a new tool with dig-like - semantics for looking up DNS data and performing internal DNSSEC - validation. This allows easy validation in environments where the - resolver may not be trustworthy, and assists with troubleshooting of - DNSSEC problems. (NOTE: In previous development releases of BIND 9.10, - this utility was called delve. The spelling has been changed to avoid - confusion with the delve utility included with the Xapian search - engine.) - * Improved EDNS(0) processing for better resolver performance and - reliability over slow or lossy connections. - * A new configure --with-tuning=large option tunes certain compiled-in - constants and default settings to values better suited to large - servers with abundant memory. This can improve performance on such - servers, but will consume more memory and may degrade performance on - smaller systems. - * Substantial improvement in response-policy zone (RPZ) performance. Up - to 32 response-policy zones can be configured with minimal performance - loss. - * To improve recursive resolver performance, cache records which are - still being requested by clients can now be automatically refreshed - from the authoritative server before they expire, reducing or - eliminating the time window in which no answer is available in the - cache. - * New rpz-client-ip triggers and drop policies allowing response - policies based on the IP address of the client. - * ACLs can now be specified based on geographic location using the - MaxMind GeoIP databases. Use configure --with-geoip to enable. - * Zone data can now be shared between views, allowing multiple views to - serve the same zones authoritatively without storing multiple copies - in memory. - * New XML schema (version 3) for the statistics channel includes many - new statistics and uses a flattened XML tree for faster parsing. The - older schema is now deprecated. - * A new stylesheet, based on the Google Charts API, displays XML - statistics in charts and graphs on javascript-enabled browsers. - * The statistics channel can now provide data in JSON format as well as - XML. - * New stats counters track TCP and UDP queries received per zone, and - EDNS options received in total. - * The internal and export versions of the BIND libraries (libisc, - libdns, etc) have been unified so that external library clients can - use the same libraries as BIND itself. - * A new compile-time option, configure --enable-native-pkcs11, allows - BIND 9 cryptography functions to use the PKCS#11 API natively, so that - BIND can drive a cryptographic hardware service module (HSM) directly - instead of using a modified OpenSSL as an intermediary. (Note: This - feature requires an HSM to have a full implementation of the PKCS#11 - API; many current HSMs only have partial implementations. The new - pkcs11-tokens command can be used to check API completeness. Native - PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM - version 2 from the Open DNSSEC project.) - * The new max-zone-ttl option enforces maximum TTLs for zones. This can - simplify the process of rolling DNSSEC keys by guaranteeing that - cached signatures will have expired within the specified amount of - time. - * dig +subnet sends an EDNS CLIENT-SUBNET option when querying. - * dig +expire sends an EDNS EXPIRE option when querying. When this - option is sent with an SOA query to a server that supports it, it will - report the expiry time of a slave zone. - * New dnssec-coverage tool to check DNSSEC key coverage for a zone and - report if a lapse in signing coverage has been inadvertently - scheduled. - * Signing algorithm flexibility and other improvements for the rndc - control channel. - * named-checkzone and named-compilezone can now read journal files, - allowing them to process dynamic zones. - * Multiple DLZ databases can now be configured. Individual zones can be - configured to be served from a specific DLZ database. DLZ databases - now serve zones of type master and redirect. - * rndc zonestatus reports information about a specified zone. - * named now listens on IPv6 as well as IPv4 interfaces by default. - * named now preserves the capitalization of names when responding to - queries: for instance, a query for "example.com" may be answered with - "example.COM" if the name was configured that way in the zone file. - Some clients have a bug causing them to depend on the older behavior, - in which the case of the answer always matched the case of the query, - rather than the case of the name configured in the DNS. Such clients - can now be specified in the new no-case-compress ACL; this will - restore the older behavior of named for those clients only. - * new dnssec-importkey command allows the use of offline DNSSEC keys - with automatic DNSKEY management. - * New named-rrchecker tool to verify the syntactic correctness of - individual resource records. - * When re-signing a zone, the new dnssec-signzone -Q option drops - signatures from keys that are still published but are no longer - active. - * named-checkconf -px will print the contents of configuration files - with the shared secrets obscured, making it easier to share - configuration (e.g. when submitting a bug report) without revealing - private information. - * rndc scan causes named to re-scan network interfaces for changes in - local addresses. - * On operating systems with support for routing sockets, network - interfaces are re-scanned automatically whenever they change. - * tsig-keygen is now available as an alternate command name to use for - ddns-confgen. - -BIND 9.10.1 - -BIND 9.10.1 is a maintenance release, and addresses the security flaws -described in CVE-2014-3214 and CVE-2014-3859. - -BIND 9.10.2 - -BIND 9.10.2 is a maintenance release, and addresses the security flaws -described in CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349. - -BIND 9.10.3 - -BIND 9.10.3 is a maintenance release, and addresses the security flaws -described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and -CVE-2015-5986. - -It also makes the following new features available: - - * New "fetchlimit" quotas are now available for the use of recursive - resolvers that are are under high query load for domains whose - authoritative servers are nonresponsive or are experiencing a denial - of service attack. - - + fetches-per-server limits the number of simultaneous queries that - can be sent to any single authoritative server. The configured - value is a starting point; it is automatically adjusted downward - if the server is partially or completely non-responsive. The - algorithm used to adjust the quota can be configured via the - fetch-quota-params option. - + fetches-per-zone limits the number of simultaneous queries that - can be sent for names within a single domain. (Note: Unlike - fetches-per-server, this value is not self-tuning.) - + New stats counters have been added to count queries spilled due to - these quotas. - -NOTE: These features are NOT built in by default; use configure ---enable-fetchlimit to enable them. - - * dig now supports sending of arbitrary EDNS options by specifying them - on the command line. - -BIND 9.10.4 - -BIND 9.10.4 is a maintenance release, and addresses the security flaws -described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704, CVE-2015-8705, -CVE-2016-1285, CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and -CVE-2016-2776. - -BIND 9.10.5 - -BIND 9.10.5 is a maintenance release, and addresses the security flaws -disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864, -CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136, -CVE-2017-3137, and CVE-2017-3138. - -Building BIND - -BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX -support, and a 64-bit integer type. Successful builds have been observed -on many versions of Linux and UNIX, including RedHat, Fedora, Debian, -Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, -HP-UX, AIX, SCO OpenServer, and OpenWRT. - -BIND is also available for Windows XP, 2003, 2008, and higher. See -win32utils/readme1st.txt for details on building for Windows systems. - -To build on a UNIX or Linux system, use: - - $ ./configure - $ make - -If you're planning on making changes to the BIND 9 source, you should run -make depend. If you're using Emacs, you might find make tags helpful. - -Several environment variables that can be set before running configure -will affect compilation: - -Variable Description -CC The C compiler to use. configure tries to figure out the - right one for supported systems. - C compiler flags. Defaults to include -g and/or -O2 as -CFLAGS supported by the compiler. Please include '-g' if you need - to set CFLAGS. - System header file directories. Can be used to specify -STD_CINCLUDES where add-on thread or IPv6 support is, for example. - Defaults to empty string. - Any additional preprocessor symbols you want defined. -STD_CDEFINES Defaults to empty string. For a list of possible settings, - see the file OPTIONS. -LDFLAGS Linker flags. Defaults to empty string. -BUILD_CC Needed when cross-compiling: the native C compiler to use - when building for the target system. -BUILD_CFLAGS Optional, used for cross-compiling -BUILD_CPPFLAGS -BUILD_LDFLAGS -BUILD_LIBS - -Compile-time options - -To see a full list of configuration options, run configure --help. - -On most platforms, BIND 9 is built with multithreading support, allowing -it to take advantage of multiple CPUs. You can configure this by -specifying --enable-threads or --disable-threads on the configure command -line. The default is to enable threads, except on some older operating -systems on which threads are known to have had problems in the past. -(Note: Prior to BIND 9.10, the default was to disable threads on Linux -systems; this has now been reversed. On Linux systems, the threaded build -is known to change BIND's behavior with respect to file permissions; it -may be necessary to specify a user with the -u option when running named.) - -To build shared libraries, specify --with-libtool on the configure command -line. - -Certain compiled-in constants and default settings can be increased to -values better suited to large servers with abundant memory resources (e.g, -64-bit servers with 12G or more of memory) by specifying --with-tuning= -large on the configure command line. This can improve performance on big -servers, but will consume more memory and may degrade performance on -smaller systems. - -For the server to support DNSSEC, you need to build it with crypto -support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer -installed. If the OpenSSL library is installed in a nonstandard location, -specify the prefix using "--with-openssl=/prefix" on the configure command -line. To use a PKCS#11 hardware service module for cryptographic -operations, specify the path to the PKCS#11 provider library using -"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11". - -To support the HTTP statistics channel, the server must be linked with at -least one of the following: libxml2 http://xmlsoft.org or json-c https:// -github.com/json-c. If these are installed at a nonstandard location, -specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix. - -To support GeoIP location-based ACLs, the server must be linked with -libGeoIP. This is not turned on by default; BIND must be configured with -"--with-geoip". If the library is installed in a nonstandard location, use -specify the prefix using "--with-geoip=/prefix". - -Python requires the 'argparse' module to be available. 'argparse' is a -standard module as of Python 2.7 and Python 3.2. - -On some platforms it is necessary to explicitly request large file support -to handle files bigger than 2GB. This can be done by using ---enable-largefile on the configure command line. - -Support for the "fixed" rrset-order option can be enabled or disabled by -specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure -command line. By default, fixed rrset-order is disabled to reduce memory -footprint. - -If your operating system has integrated support for IPv6, it will be used -automatically. If you have installed KAME IPv6 separately, use --with-kame -[=PATH] to specify its location. - -make install will install named and the various BIND 9 libraries. By -default, installation is into /usr/local, but this can be changed with the ---prefix option when running configure. - -You may specify the option --sysconfdir to set the directory where -configuration files like named.conf go by default, and --localstatedir to -set the default parent directory of run/named.pid. For backwards -compatibility with BIND 8, --sysconfdir defaults to /etc and ---localstatedir defaults to /var if no --prefix option is given. If there -is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir -defaults to $prefix/var. - -Automated testing - -A system test suite can be run with make test. The system tests require -you to configure a set of virtual IP addresses on your system (this allows -multiple servers to run locally and communicate with one another). These -IP addresses can be configured by by running the script bin/tests/system/ -ifconfig.sh up as root. - -Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, -and will be skipped if these are not available. Some tests require Python -and the 'dnspython' module and will be skipped if these are not available. -See bin/tests/system/README for further details. - -Unit tests are implemented using Automated Testing Framework (ATF). To run -them, use configure --with-atf, then run make test or make unit. - -Documentation - -The BIND 9 Administrator Reference Manual is included with the source -distribution, in DocBook XML, HTML and PDF format, in the doc/arm -directory. - -Some of the programs in the BIND 9 distribution have man pages in their -directories. In particular, the command line options of named are -documented in bin/named/named.8. - -Frequently (and not-so-frequently) asked questions and their answers can -be found in the ISC Knowledge Base at https://kb.isc.org. - -Additional information on various subjects can be found in other README -files throughout the source tree. - -Change log - -A detailed list of all changes that have been made throughout the -development BIND 9 is included in the file CHANGES, with the most recent -changes listed first. Change notes include tags indicating the category of -the change that was made; these categories are: - -Category Description -[func] New feature -[bug] General bug fix -[security] Fix for a significant security flaw -[experimental] Used for new features when the syntax or other aspects of - the design are still in flux and may change -[port] Portability enhancement -[maint] Updates to built-in data such as root server addresses and - keys -[tuning] Changes to built-in configuration defaults and constants to - improve performance -[performance] Other changes to improve server performance -[protocol] Updates to the DNS protocol such as new RR types -[test] Changes to the automatic tests, not affecting server - functionality -[cleanup] Minor corrections and refactoring -[doc] Documentation -[contrib] Changes to the contributed tools and libraries in the - 'contrib' subdirectory - Used in the master development branch to reserve change -[placeholder] numbers for use in other branches, e.g. when fixing a bug - that only exists in older releases - -In general, [func] and [experimental] tags will only appear in new-feature -releases (i.e., those with version numbers ending in zero). Some new -functionality may be backported to older releases on a case-by-case basis. -All other change types may be applied to all currently-supported releases. - -Acknowledgments - - * The original development of BIND 9 was underwritten by the following - organizations: - - Sun Microsystems, Inc. - Hewlett Packard - Compaq Computer Corporation - IBM - Process Software Corporation - Silicon Graphics, Inc. - Network Associates, Inc. - U.S. Defense Information Systems Agency - USENIX Association - Stichting NLnet - NLnet Foundation - Nominum, Inc. - - * This product includes software developed by the OpenSSL Project for - use in the OpenSSL Toolkit. http://www.OpenSSL.org/ - * This product includes cryptographic software written by Eric Young - (eay@cryptsoft.com) - * This product includes software written by Tim Hudson - (tjh@cryptsoft.com) -