From 96762fdd4cdd678f352adda4f0a49116c6f2aa5f Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 23 Apr 2017 23:00:52 -0700 Subject: [PATCH] [v9_9] allow parallel make 4609. [cleanup] Rearrange makefiles to enable parallel execution (i.e. "make -j"). [RT #45078] --- CHANGES | 3 + HISTORY | 234 +++++++++++++++++++++++ HISTORY.md | 301 ----------------------------- OPTIONS | 25 +++ README | 428 ++++++++++++++++++++++++++++++++++++++++++ README.md | 3 - lib/dns/Makefile.in | 70 +++---- lib/irs/Makefile.in | 2 + lib/isc/Makefile.in | 2 + lib/lwres/Makefile.in | 2 + 10 files changed, 733 insertions(+), 337 deletions(-) diff --git a/CHANGES b/CHANGES index 1eb4fc0e16..925b31f681 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4609. [cleanup] Rearrange makefiles to enable parallel execution + (i.e. "make -j"). [RT #45078] + 4608. [func] DiG now warns about .local queries which are reserved for Multicast DNS. [RT #44783] diff --git a/HISTORY b/HISTORY index e69de29bb2..92ccdef695 100644 --- a/HISTORY +++ b/HISTORY @@ -0,0 +1,234 @@ +Functional enhancements from prior major releases of BIND 9 + +BIND 9.8.0 + +BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier +releases. New features include: + + * Built-in trust anchor for the root zone, which can be switched on via + "dnssec-validation auto;" + * Support for DNS64. + * Support for response policy zones (RPZ). + * Support for writable DLZ zones. + * Improved ease of configuration of GSS/TSIG for interoperability with + Active Directory + * Support for GOST signing algorithm for DNSSEC. + * Removed RTT Banding from server selection algorithm. + * New "static-stub" zone type. + * Allow configuration of resolver timeouts via "resolver-query-timeout" + option. + * The DLZ "dlopen" driver is now built by default. + * Added a new include file with function typedefs for the DLZ "dlopen" + driver. + * Made "--with-gssapi" default. + * More verbose error reporting from DLZ LDAP. + +BIND 9.7.0 + +BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier +releases. Most are intended to simplify DNSSEC configuration. New features +include: + + * Fully automatic signing of zones by "named". + * Simplified configuration of DNSSEC Lookaside Validation (DLV). + * Simplified configuration of Dynamic DNS, using the "ddns-confgen" + command line tool or the "local" update-policy option. (As a side + effect, this also makes it easier to configure automatic zone + re-signing.) + * New named option "attach-cache" that allows multiple views to share a + single cache. + * DNS rebinding attack prevention. + * New default values for dnssec-keygen parameters. + * Support for RFC 5011 automated trust anchor maintenance + * Smart signing: simplified tools for zone signing and key maintenance. + * The "statistics-channels" option is now available on Windows. + * A new DNSSEC-aware libdns API for use by non-BIND9 applications + * On some platforms, named and other binaries can now print out a stack + backtrace on assertion failure, to aid in debugging. + * A "tools only" installation mode on Windows, which only installs dig, + host, nslookup and nsupdate. + * Improved PKCS#11 support, including Keyper support and explicit + OpenSSL engine selection. + +BIND 9.6.0 + + * Full NSEC3 support + * Automatic zone re-signing + * New update-policy methods tcp-self and 6to4-self + * The BIND 8 resolver library, libbind, has been removed from the BIND 9 + distribution and is now available as a separate download. + * Change the default pid file location from /var/run to /var/run/ + {named,lwresd} for improved chroot/setuid support. + +BIND 9.5.0 + + * GSS-TSIG support (RFC 3645). + * DHCID support. + * Experimental http server and statistics support for named via xml. + * More detailed statistics counters including those supported in BIND 8. + * Faster ACL processing. + * Use Doxygen to generate internal documentation. + * Efficient LRU cache-cleaning mechanism. + * NSID support. + +BIND 9.4.0 + + * Implemented "additional section caching (or acache)", an internal + cache framework for additional section content to improve response + performance. Several configuration options were provided to control + the behavior. + * New notify type 'master-only'. Enable notify for master zones only. + * Accept 'notify-source' style syntax for query-source. + * rndc now allows addresses to be set in the server clauses. + * New option "allow-query-cache". This lets "allow-query" be used to + specify the default zone access level rather than having to have every + zone override the global value. "allow-query-cache" can be set at both + the options and view levels. If "allow-query-cache" is not set then + "allow-recursion" is used if set, otherwise "allow-query" is used if + set unless "recursion no;" is set in which case "none;" is used, + otherwise the default (localhost; localnets;) is used. + * rndc: the source address can now be specified. + * ixfr-from-differences now takes master and slave in addition to yes + and no at the options and view levels. + * Allow the journal's name to be changed via named.conf. + * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the + specified zone. + * 'dig +trace' now randomly selects the next servers to try. Report if + there is a bad delegation. + * Improve check-names error messages. + * Make public the function to read a key file, dst_key_read_public(). + * dig now returns the byte count for axfr/ixfr. + * allow-update is now settable at the options / view level. + * named-checkconf now checks the logging configuration. + * host now can turn on memory debugging flags with '-m'. + * Don't send notify messages to self. + * Perform sanity checks on NS records which refer to 'in zone' names. + * New zone option "notify-delay". Specify a minimum delay between sets + of NOTIFY messages. + * Extend adjusting TTL warning messages. + * Named and named-checkzone can now both check for non-terminal wildcard + records. + * "rndc freeze/thaw" now freezes/thaws all zones. + * named-checkconf now check acls to verify that they only refer to + existing acls. + * The server syntax has been extended to support a range of servers. + * Report differences between hints and real NS rrset and associated + address records. + * Preserve the case of domain names in rdata during zone transfers. + * Restructured the data locking framework using architecture dependent + atomic operations (when available), improving response performance on + multi-processor machines significantly. x86, x86_64, alpha, powerpc, + and mips are currently supported. + * UNIX domain controls are now supported. + * Add support for additional zone file formats for improving loading + performance. The masterfile-format option in named.conf can be used to + specify a non-default format. A separate command named-compilezone was + provided to generate zone files in the new format. Additionally, the + -I and -O options for dnssec-signzone specify the input and output + formats. + * dnssec-signzone can now randomize signature end times (dnssec-signzone + -j jitter). + * Add support for CH A record. + * Add additional zone data constancy checks. named-checkzone has + extended checking of NS, MX and SRV record and the hosts they + reference. named has extended post zone load checks. New zone options: + check-mx and integrity-check. + * edns-udp-size can now be overridden on a per server basis. + * dig can now specify the EDNS version when making a query. + * Added framework for handling multiple EDNS versions. + * Additional memory debugging support to track size and mctx arguments. + * Detect duplicates of UDP queries we are recursing on and drop them. + New stats category "duplicates". + * "USE INTERNAL MALLOC" is now runtime selectable. + * The lame cache is now done on a basis as some servers only appear to + be lame for certain query types. + * Limit the number of recursive clients that can be waiting for a single + query () to resolve. New options clients-per-query and + max-clients-per-query. + * dig: report the number of extra bytes still left in the packet after + processing all the records. + * Support for IPSECKEY rdata type. + * Raise the UDP recieve buffer size to 32k if it is less than 32k. + * x86 and x86_64 now have seperate atomic locking implementations. + * named-checkconf now validates update-policy entries. + * Attempt to make the amount of work performed in a iteration self + tuning. The covers nodes clean from the cache per iteration, nodes + written to disk when rewriting a master file and nodes destroyed per + iteration when destroying a zone or a cache. + * ISC string copy API. + * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC + 1918 zones are not yet covered by this but are likely to be in a + future release. + * New options: empty-server, empty-contact, empty-zones-enable and + disable-empty-zone. + * dig now has a '-q queryname' and '+showsearch' options. + * host/nslookup now continue (default)/fail on SERVFAIL. + * dig now warns if 'RA' is not set in the answer when 'RD' was set in + the query. host/nslookup skip servers that fail to set 'RA' when 'RD' + is set unless a server is explicitly set. + * Integrate contibuted DLZ code into named. + * Integrate contibuted IDN code from JPNIC. + * libbind: corresponds to that from BIND 8.4.7. + +BIND 9.3.0 + + * DNSSEC is now DS based (RFC 3658). + * DNSSEC lookaside validation. + * check-names is now implemented. + * rrset-order is more complete. + * IPv4/IPv6 transition support, dual-stack-servers. + * IXFR deltas can now be generated when loading master files, + ixfr-from-differences. + * It is now possible to specify the size of a journal, max-journal-size. + * It is now possible to define a named set of master servers to be used + in masters clause, masters. + * The advertised EDNS UDP size can now be set, edns-udp-size. + * allow-v6-synthesis has been obsoleted. + * Zones containing MD and MF will now be rejected. + * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than + NOTIMPL. This will have impact on scripts that are looking for + NOTIMPL. + * libbind: corresponds to that from BIND 8.4.5. + +BIND 9.2.0 + + * The size of the cache can now be limited using the "max-cache-size" + option. + * The server can now automatically convert RFC1886-style recursive + lookup requests into RFC2874-style lookups, when enabled using the new + option "allow-v6-synthesis". This allows stub resolvers that support + AAAA records but not A6 record chains or binary labels to perform + lookups in domains that make use of these IPv6 DNS features. + * Performance has been improved. + * The man pages now use the more portable "man" macros rather than the + "mandoc" macros, and are installed by "make install". + * The named.conf parser has been completely rewritten. It now supports + "include" directives in more places such as inside "view" statements, + and it no longer has any reserved words. + * The "rndc status" command is now implemented. + * rndc can now be configured automatically. + * A BIND 8 compatible stub resolver library is now included in lib/bind. + * OpenSSL has been removed from the distribution. This means that to use + DNSSEC, OpenSSL must be installed and the --with-openssl option must + be supplied to configure. This does not apply to the use of TSIG, + which does not require OpenSSL. + * The source distribution now builds on Windows. See win32utils/ + readme1.txt and win32utils/win32-build.txt for details. + * This distribution also includes a new lightweight stub resolver + library and associated resolver daemon that fully support forward and + reverse lookups of both IPv4 and IPv6 addresses. This library is + considered experimental and is not a complete replacement for the BIND + 8 resolver library. Applications that use the BIND 8 res_* functions + to perform DNS lookups or dynamic updates still need to be linked + against the BIND 8 libraries. For DNS lookups, they can also use the + new "getrrsetbyname()" API. + * BIND 9.2 is capable of acting as an authoritative server for DNSSEC + secured zones. This functionality is believed to be stable and + complete except for lacking support for verifications involving + wildcard records in secure zones. + * When acting as a caching server, BIND 9.2 can be configured to perform + DNSSEC secure resolution on behalf of its clients. This part of the + DNSSEC implementation is still considered experimental. For detailed + information about the state of the DNSSEC implementation, see the file + doc/misc/dnssec. + diff --git a/HISTORY.md b/HISTORY.md index 8c943f0ddf..6850f6ade5 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -15,307 +15,6 @@ ---> ### Functional enhancements from prior major releases of BIND 9 -#### BIND 9.11 - -BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier -releases. New features include: - -- Added support for Catalog Zones, a new method for provisioning servers: a - list of zones to be served is stored in a DNS zone, along with their - configuration parameters. Changes to the catalog zone are propagated to - slaves via normal AXFR/IXFR, whereupon the zones that are listed in it - are automatically added, deleted or reconfigured. -- Added support for "dnstap", a fast and flexible method of capturing and - logging DNS traffic. -- Added support for "dyndb", a new API for loading zone data from an - external database, developed by Red Hat for the FreeIPA project. -- "fetchlimit" quotas are now compiled in by default. These are for the - use of recursive resolvers that are are under high query load for domains - whose authoritative servers are nonresponsive or are experiencing a - denial of service attack: - - "fetches-per-server" limits the number of simultaneous queries that - can be sent to any single authoritative server. The configured value - is a starting point; it is automatically adjusted downward if the - server is partially or completely non-responsive. The algorithm used - to adjust the quota can be configured via the "fetch-quota-params" - option. - - "fetches-per-zone" limits the number of simultaneous queries that can - be sent for names within a single domain. (Note: Unlike - "fetches-per-server", this value is not self-tuning.) - - New stats counters have been added to count queries spilled due to - these quotas. -- Added a new "dnssec-keymgr" key mainenance utility, which can generate or - update keys as needed to ensure that a zone's keys match a defined DNSSEC - policy. -- The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and - is no longer optional. EDNS COOKIE is a mechanism enabling clients to - detect off-path spoofed responses, and servers to detect spoofed-source - queries. Clients that identify themselves using COOKIE options are not - subject to response rate limiting (RRL) and can receive larger UDP - responses. -- SERVFAIL responses can now be cached for a limited time (defaulting to 1 - second, with an upper limit of 30). This can reduce the frequency of - retries when a query is persistently failing. -- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to be - skipped if a name server IP address isn't in the cache yet; the address - will be looked up and the rule will be applied on future queries. -- Added a Python RNDC module. This allows multiple commands to sent over a - persistent RNDC channel, which saves time. -- The "controls" block in named.conf can now grant read-only "rndc" access - to specified clients or keys. Read-only clients could, for example, check - "rndc status" but could not reconfigure or shut down the server. -- "rndc" commands can now return arbitrarily large amounts of text to the - caller. -- The zone serial number of a dynamically updatable zone can now be set via - "rndc signing -serial ". This allows inline-signing - zones to be set to a specific serial number. -- The new "rndc nta" command can be used to set a Negative Trust Anchor - (NTA), disabling DNSSEC validation for a specific domain; this can be - used when responses from a domain are known to be failing validation due - to administrative error rather than because of a spoofing attack. - Negative trust anchors are strictly temporary; by default they expire - after one hour, but can be configured to last up to one week. -- "rndc delzone" can now be used on zones that were not originally created - by "rndc addzone". -- "rndc modzone" reconfigures a single zone, without requiring the entire - server to be reconfigured. -- "rndc showzone" displays the current configuration of a zone. -- "rndc managed-keys" can be used to check the status of RFC 5001 managed - trust anchors, or to force trust anchors to be refreshed. -- "max-cache-size" can now be set to a percentage of available memory. The - default is 90%. -- Update forwarding performance has been improved by allowing a single TCP - connection to be shared by multiple updates. -- The EDNS Client Subnet (ECS) option is now supported for authoritative - servers; if a query contains an ECS option then ACLs containing "geoip" - or "ecs" elements can match against the the address encoded in the - option. This can be used to select a view for a query, so that different - answers can be provided depending on the client network. -- The EDNS EXPIRE option has been implemented on the client side, allowing - a slave server to set the expiration timer correctly when transferring - zone data from another slave server. -- The key generation and manipulation tools (dnssec-keygen, dnssec-settime, - dnssec-importkey, dnssec-keyfromlabel) now take "-Psync" and "-Dsync" - options to set the publication and deletion times of CDS and CDNSKEY - parent-synchronization records. Both named and dnssec-signzone can now - publish and remove these records at the scheduled times. -- A new "minimal-any" option reduces the size of UDP responses for query - type ANY by returning a single arbitrarily selected RRset instead of all - RRsets. -- A new "masterfile-style" zone option controls the formatting of text zone - files: When set to "full", a zone file is dumped in - single-line-per-record format. -- "serial-update-method" can now be set to "date". On update, the serial - number will be set to the current date in YYYYMMDDNN format. -- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. -- "named -L " causes named to send log messages to the specified - file by default instead of to the system log. -- "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, s - for weeks, days, hours, minutes, and seconds. -- "dig +unknownformat" prints dig output in RFC 3597 "unknown record" - presentation format. -- "dig +ednsopt" allows dig to set arbitrary EDNS options on requests. -- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on - requests. -- "mdig" is an alternate version of dig which sends multiple pipelined TCP - queries to a server. Instead of waiting for a response after sending a - query, it sends all queries immediately and displays responses in the - order received. -- "serial-query-rate" no longer controls NOTIFY messages. These are - separately controlled by "notify-rate" and "startup-notify-rate". -- "nsupdate" now performs "check-names" processing by default on records to - be added. This can be disabled with "check-names no". -- The statistics channel now supports DEFLATE compression, reducing the - size of the data sent over the network when querying statistics. -- New counters have been added to the statistics channel to track the sizes - of incoming queries and outgoing responses in histogram buckets, as - specified in RSSAC002. -- A new NXDOMAIN redirect method (option "nxdomain-redirect") has been - added, allowing redirection to a specified DNS namespace instead of a - single redirect zone. -- When starting up, named now ensures that no other named process is - already running. -- Files created by named to store information, including "mkeys" and "nzf" - files, are now named after their corresponding views unless the view name - contains characters incompatible with use as a filename. Old style - filenames (based on the hash of the view name) will still work. - -#### BIND 9.10.0 - -BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier -releases. New features include: - - - DNS Response-rate limiting (DNS RRL), which blunts the - impact of reflection and amplification attacks, is always - compiled in and no longer requires a compile-time option - to enable it. - - An experimental "Source Identity Token" (SIT) EDNS option - is now available. Similar to DNS Cookies as invented by - Donald Eastlake 3rd, these are designed to enable clients - to detect off-path spoofed responses, and to enable servers - to detect spoofed-source queries. Servers can be configured - to send smaller responses to clients that have not identified - themselves using a SIT option, reducing the effectiveness of - amplification attacks. RRL processing has also been updated; - clients proven to be legitimate via SIT are not subject to - rate limiting. Use "configure --enable-sit" to enable this - feature in BIND. - - A new zone file format, "map", stores zone data in a - format that can be mapped directly into memory, allowing - significantly faster zone loading. - - "delv" (domain entity lookup and validation) is a new tool - with dig-like semantics for looking up DNS data and performing - internal DNSSEC validation. This allows easy validation in - environments where the resolver may not be trustworthy, and - assists with troubleshooting of DNSSEC problems. (NOTE: - In previous development releases of BIND 9.10, this utility - was called "delve". The spelling has been changed to avoid - confusion with the "delve" utility included with the Xapian - search engine.) - - Improved EDNS(0) processing for better resolver performance - and reliability over slow or lossy connections. - - A new "configure --with-tuning=large" option tunes certain - compiled-in constants and default settings to values better - suited to large servers with abundant memory. This can - improve performance on such servers, but will consume more - memory and may degrade performance on smaller systems. - - Substantial improvement in response-policy zone (RPZ) - performance. Up to 32 response-policy zones can be - configured with minimal performance loss. - - To improve recursive resolver performance, cache records - which are still being requested by clients can now be - automatically refreshed from the authoritative server - before they expire, reducing or eliminating the time - window in which no answer is available in the cache. - - New "rpz-client-ip" triggers and drop policies allowing - response policies based on the IP address of the client. - - ACLs can now be specified based on geographic location - using the MaxMind GeoIP databases. Use "configure - --with-geoip" to enable. - - Zone data can now be shared between views, allowing - multiple views to serve the same zones authoritatively - without storing multiple copies in memory. - - New XML schema (version 3) for the statistics channel - includes many new statistics and uses a flattened XML tree - for faster parsing. The older schema is now deprecated. - - A new stylesheet, based on the Google Charts API, displays - XML statistics in charts and graphs on javascript-enabled - browsers. - - The statistics channel can now provide data in JSON - format as well as XML. - - New stats counters track TCP and UDP queries received - per zone, and EDNS options received in total. - - The internal and export versions of the BIND libraries - (libisc, libdns, etc) have been unified so that external - library clients can use the same libraries as BIND itself. - - A new compile-time option, "configure --enable-native-pkcs11", - allows BIND 9 cryptography functions to use the PKCS#11 API - natively, so that BIND can drive a cryptographic hardware - service module (HSM) directly instead of using a modified - OpenSSL as an intermediary. (Note: This feature requires an - HSM to have a full implementation of the PKCS#11 API; many - current HSMs only have partial implementations. The new - "pkcs11-tokens" command can be used to check API completeness. - Native PKCS#11 is known to work with the Thales nShield HSM - and with SoftHSM version 2 from the Open DNSSEC project.) - - The new "max-zone-ttl" option enforces maximum TTLs for - zones. This can simplify the process of rolling DNSSEC keys - by guaranteeing that cached signatures will have expired - within the specified amount of time. - - "dig +subnet" sends an EDNS CLIENT-SUBNET option when - querying. - - "dig +expire" sends an EDNS EXPIRE option when querying. - When this option is sent with an SOA query to a server - that supports it, it will report the expiry time of - a slave zone. - - New "dnssec-coverage" tool to check DNSSEC key coverage - for a zone and report if a lapse in signing coverage has - been inadvertently scheduled. - - Signing algorithm flexibility and other improvements - for the "rndc" control channel. - - "named-checkzone" and "named-compilezone" can now read - journal files, allowing them to process dynamic zones. - - Multiple DLZ databases can now be configured. Individual - zones can be configured to be served from a specific DLZ - database. DLZ databases now serve zones of type "master" - and "redirect". - - "rndc zonestatus" reports information about a specified zone. - - "named" now listens on IPv6 as well as IPv4 interfaces - by default. - - "named" now preserves the capitalization of names - when responding to queries: for instance, a query for - "example.com" may be answered with "example.COM" if the - name was configured that way in the zone file. Some - clients have a bug causing them to depend on the older - behavior, in which the case of the answer always matched - the case of the query, rather than the case of the name - configured in the DNS. Such clients can now be specified - in the new "no-case-compress" ACL; this will restore the - older behavior of "named" for those clients only. - - new "dnssec-importkey" command allows the use of offline - DNSSEC keys with automatic DNSKEY management. - - New "named-rrchecker" tool to verify the syntactic - correctness of individual resource records. - - When re-signing a zone, the new "dnssec-signzone -Q" option - drops signatures from keys that are still published but are - no longer active. - - "named-checkconf -px" will print the contents of configuration - files with the shared secrets obscured, making it easier to - share configuration (e.g. when submitting a bug report) - without revealing private information. - - "rndc scan" causes named to re-scan network interfaces for - changes in local addresses. - - On operating systems with support for routing sockets, - network interfaces are re-scanned automatically whenever - they change. - - "tsig-keygen" is now available as an alternate command - name to use for "ddns-confgen". - -#### BIND 9.9.0 - -BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier -releases. New features include: - -- Inline signing, allowing automatic DNSSEC signing of - master zones without modification of the zonefile, or - "bump in the wire" signing in slaves. -- NXDOMAIN redirection. -- New 'rndc flushtree' command clears all data under a given - name from the DNS cache. -- New 'rndc sync' command dumps pending changes in a dynamic - zone to disk without a freeze/thaw cycle. -- New 'rndc signing' command displays or clears signing status - records in 'auto-dnssec' zones. -- NSEC3 parameters for 'auto-dnssec' zones can now be set prior - to signing, eliminating the need to initially sign with NSEC. -- Startup time improvements on large authoritative servers. -- Slave zones are now saved in raw format by default. -- Several improvements to response policy zones (RPZ). -- Improved hardware scalability by using multiple threads - to listen for queries and using finer-grained client locking -- The 'also-notify' option now takes the same syntax as - 'masters', so it can used named masterlists and TSIG keys. -- 'dnssec-signzone -D' writes an output file containing only DNSSEC - data, which can be included by the primary zone file. -- 'dnssec-signzone -R' forces removal of signatures that are - not expired but were created by a key which no longer exists. -- 'dnssec-signzone -X' allows a separate expiration date to - be specified for DNSKEY signatures from other signatures. -- New '-L' option to dnssec-keygen, dnssec-settime, and - dnssec-keyfromlabel sets the default TTL for the key. -- dnssec-dsfromkey now supports reading from standard input, - to make it easier to convert DNSKEY to DS. -- RFC 1918 reverse zones have been added to the empty-zones - table per RFC 6303. -- Dynamic updates can now optionally set the zone's SOA serial - number to the current UNIX time. -- DLZ modules can now retrieve the source IP address of - the querying client. -- 'request-ixfr' option can now be set at the per-zone level. -- 'dig +rrcomments' turns on comments about DNSKEY records, - indicating their key ID, algorithm and function -- Simplified nsupdate syntax and added readline support - #### BIND 9.8.0 BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier diff --git a/OPTIONS b/OPTIONS index e69de29bb2..0be74b7aac 100644 --- a/OPTIONS +++ b/OPTIONS @@ -0,0 +1,25 @@ +Setting the STD_CDEFINES environment variable before running configure can +be used to enable certain compile-time options that are not explicitly +defined in configure. + +Some of these settings are: + +Setting Description + Don't ovewrite memory when allocating or freeing +-DISC_MEM_FILL=0 it; this improves performance but makes + debugging more difficult. + Don't track memory allocations by file and line +-DISC_MEM_TRACKLINES=0 number; this improves performance but makes + debugging more difficult. +-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named +-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular + well-known ports: +-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone +-DCHECK_LOCAL=0 Don't check out-of-zone addresses in + named-checkzone +-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run + rather than ${localstatedir}/run/{named,lwresd}/ + Enable DNSSEC signature chasing support in dig. +-DDIG_SIGCHASE=1 (Note: This feature is deprecated. Use delv + instead.) + diff --git a/README b/README index e69de29bb2..83bdc52434 100644 --- a/README +++ b/README @@ -0,0 +1,428 @@ +BIND 9 + +Contents + + 1. Introduction + 2. Reporting bugs and getting help + 3. Contributing to BIND + 4. BIND 9.9 features + 5. Building BIND + 6. Compile-time options + 7. Automated testing + 8. Documentation + 9. Change log +10. Acknowledgments + +Introduction + +BIND (Berkeley Internet Name Domain) is a complete, highly portable +implementation of the DNS (Domain Name System) protocol. + +The BIND name server, named, is able to serve as an authoritative name +server, recursive resolver, DNS forwarder, or all three simultaneously. It +implements views for split-horizon DNS, automatic DNSSEC zone signing and +key management, catalog zones to facilitate provisioning of zone data +throughout a name server constellation, response policy zones (RPZ) to +protect clients from malicious data, response rate limiting (RRL) and +recursive query limits to reduce distributed denial of service attacks, +and many other advanced DNS features. BIND also includes a suite of +administrative tools, including the dig and delv DNS lookup tools, +nsupdate for dynamic DNS zone updates, rndc for remote name server +administration, and more. + +BIND 9 is a complete re-write of the BIND architecture that was used in +versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501 +(c)(3) public benefit corporation dedicated to providing software and +services in support of the Internet infrastructure, developed BIND 9 and +is responsible for its ongoing maintenance and improvement. BIND is open +source software licenced under the terms of the Mozilla Public License, +version 2.0. + +For a summary of features introduced in past major releases of BIND, see +the file HISTORY. + +For a detailed list of changes made throughout the history of BIND 9, see +the file CHANGES. See below for details on the CHANGES file format. + +For up-to-date release notes and errata, see http://www.isc.org/software/ +bind9/releasenotes + +Reporting bugs and getting help + +Please report assertion failure errors and suspected security issues to +security-officer@isc.org. + +General bug reports can be sent to bind9-bugs@isc.org. + +Feature requests can be sent to bind-suggest@isc.org. + +Please note that, while ISC's ticketing system is not currently publicly +readable, this may change in the future. Please do not include information +in bug reports that you consider to be confidential. For example, when +sending the contents of your configuration file, it is advisable to +obscure key secrets; this can be done automatically by using +named-checkconf -px. + +Professional support and training for BIND are available from ISC at +https://www.isc.org/support. + +To join the BIND Users mailing list, or view the archives, visit https:// +lists.isc.org/mailman/listinfo/bind-users. + +If you're planning on making changes to the BIND 9 source code, you may +also want to join the BIND Workers mailing list, at https://lists.isc.org/ +mailman/listinfo/bind-workers. + +Contributing to BIND + +A public git repository for BIND is maintained at http://www.isc.org/git/, +and also on Github at https://github.com/isc-projects. + +Information for BIND contributors can be found in the following files: - +General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/ +style.md - BIND architecture and developer guide: doc/dev/dev.md + +Patches for BIND may be submitted either as Github pull requests or via +email. When submitting a patch via email, please prepend the subject +header with "[PATCH]" so it will be easier for us to find. If your patch +introduces a new feature in BIND, please submit it to bind-suggest@isc.org +; if it fixes a bug, please submit it to bind9-bugs@isc.org. + +BIND 9.9 features + +BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier +releases. New features include: + + * Inline signing, allowing automatic DNSSEC signing of master zones + without modification of the zonefile, or "bump in the wire" signing in + slaves. + * NXDOMAIN redirection. + * New rndc flushtree command clears all data under a given name from the + DNS cache. + * New rndc sync command dumps pending changes in a dynamic zone to disk + without a freeze/thaw cycle. + * New rndc signing command displays or clears signing status records in + auto-dnssec zones. + * NSEC3 parameters for auto-dnssec zones can now be set prior to + signing, eliminating the need to initially sign with NSEC. + * Startup time improvements on large authoritative servers. + * Slave zones are now saved in raw format by default. + * Several improvements to response policy zones (RPZ). + * Improved hardware scalability by using multiple threads to listen for + queries and using finer-grained client locking + * The also-notify option now takes the same syntax as masters, so it can + used named masterlists and TSIG keys. + * dnssec-signzone -D writes an output file containing only DNSSEC data, + which can be included by the primary zone file. + * dnssec-signzone -R forces removal of signatures that are not expired + but were created by a key which no longer exists. + * dnssec-signzone -X allows a separate expiration date to be specified + for DNSKEY signatures from other signatures. + * New -L option to dnssec-keygen, dnssec-settime, and + dnssec-keyfromlabel sets the default TTL for the key. + * dnssec-dsfromkey now supports reading from standard input, to make it + easier to convert DNSKEY to DS. + * RFC 1918 reverse zones have been added to the empty-zones table per + RFC + +6303. + + * Dynamic updates can now optionally set the zone's SOA serial number to + the current UNIX time. + * DLZ modules can now retrieve the source IP address of the querying + client. + * request-ixfr option can now be set at the per-zone level. + * dig +rrcomments turns on comments about DNSKEY records, indicating + their key ID, algorithm and function + * Simplified nsupdate syntax and added readline support + +BIND 9.9.1 + +BIND 9.9.1 is a maintenance release. + +BIND 9.9.2 + +BIND 9.9.2 is a maintenance release, and addresses the security flaw +described in CVE-2012-4244. + +BIND 9.9.3 + +BIND 9.9.3 is a maintenance release and addresses the security flaws +described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266. + +BIND 9.9.4 + +BIND 9.9.4 is a maintenance release, and addresses the security flaws +described in CVE-2013-3919 and CVE-2013-4854. It also introduces DNS +Response Rate Limiting (DNS RRL) as a compile-time option. To use this +feature, configure with the --enable-rrl option. + +BIND 9.9.5 + +BIND 9.9.5 is a maintenance release, and addresses the security flaws +described in CVE-2013-6320 and CVE-2014-0591. It also includes the +following functional enhancements: + + * named now preserves the capitalization of names when responding to + queries. + * new dnssec-importkey command allows the use of offline DNSSEC keys + with automatic DNSKEY management. + * When re-signing a zone, the new dnssec-signzone -Q option drops + signatures from keys that are still published but are no longer + active. + * named-checkconf -px will print the contents of configuration files + with the shared secrets obscured, making it easier to share + configuration (e.g. when submitting a bug report) without revealing + private information. + +BIND 9.9.6 + +BIND 9.9.6 is a maintenance release, and also includes the following new +functionality. + + * The former behavior with respect to capitalization of names (prior to + BIND 9.9.5) can be restored for specific clients via the new + no-case-compress ACL. + +BIND 9.9.7 + +BIND 9.9.7 is a maintenance release, and addresses the security flaws +described in CVE-2014-8500 and CVE-2015-1349. + +BIND 9.9.8 + +BIND 9.9.8 is a maintenance release, and addresses the security flaws +described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and +CVE-2015-5986. + +It also makes the following new features available via a compile-time +option: + + * New "fetchlimit" quotas are now available for the use of recursive + resolvers that are are under high query load for domains whose + authoritative servers are nonresponsive or are experiencing a denial + of service attack. + + fetches-per-server limits the number of simultaneous queries that + can be sent to any single authoritative server. The configured + value is a starting point; it is automatically adjusted downward + if the server is partially or completely non-responsive. The + algorithm used to adjust the quota can be configured via the + fetch-quota-params option. + + fetches-per-zone limits the number of simultaneous queries that + can be sent for names within a single domain. (Note: Unlike + fetches-per-server, this value is not self-tuning.) + + New stats counters have been added to count queries spilled due to + these quotas. NOTE: These options are NOT built in by default; use + configure --enable-fetchlimit to enable them. + +BIND 9.9.9 + +BIND 9.9.9 is a maintenance release and addresses bugs found in BIND 9.9.8 +and earlier, as well as the security flaws described in CVE-2015-8000, +CVE-2015-8461, CVE-2015-8704, CVE-2016-1285, CVE-2016-1286, CVE-2016-2775 +and CVE-2016-2776. + +BIND 9.9.10 + +BIND 9.9.10 is a maintenance release and addresses the security flaws +disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864, +CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136, +CVE-2017-3137, and CVE-2017-3138. + +Building BIND + +BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX +support, and a 64-bit integer type. Successful builds have been observed +on many versions of Linux and UNIX, including RedHat, Fedora, Debian, +Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, +HP-UX, AIX, SCO OpenServer, and OpenWRT. + +BIND is also available for Windows XP, 2003, 2008, and higher. See +win32utils/readme1st.txt for details on building for Windows systems. + +To build on a UNIX or Linux system, use: + + $ ./configure + $ make + +If you're planning on making changes to the BIND 9 source, you should run +make depend. If you're using Emacs, you might find make tags helpful. + +Several environment variables that can be set before running configure +will affect compilation: + +Variable Description +CC The C compiler to use. configure tries to figure out the + right one for supported systems. + C compiler flags. Defaults to include -g and/or -O2 as +CFLAGS supported by the compiler. Please include '-g' if you need + to set CFLAGS. + System header file directories. Can be used to specify +STD_CINCLUDES where add-on thread or IPv6 support is, for example. + Defaults to empty string. + Any additional preprocessor symbols you want defined. +STD_CDEFINES Defaults to empty string. For a list of possible settings, + see the file OPTIONS. +LDFLAGS Linker flags. Defaults to empty string. +BUILD_CC Needed when cross-compiling: the native C compiler to use + when building for the target system. +BUILD_CFLAGS Optional, used for cross-compiling +BUILD_CPPFLAGS +BUILD_LDFLAGS +BUILD_LIBS + +Compile-time options + +To see a full list of configuration options, run configure --help. + +On most platforms, BIND 9 is built with multithreading support, allowing +it to take advantage of multiple CPUs. You can configure this by +specifying --enable-threads or --disable-threads on the configure command +line. The default is to enable threads, except on some older operating +systems on which threads are known to have had problems in the past. +(Note: Prior to BIND 9.10, the default was to disable threads on Linux +systems; this has now been reversed. On Linux systems, the threaded build +is known to change BIND's behavior with respect to file permissions; it +may be necessary to specify a user with the -u option when running named.) + +To build shared libraries, specify --with-libtool on the configure command +line. + +Certain compiled-in constants and default settings can be increased to +values better suited to large servers with abundant memory resources (e.g, +64-bit servers with 12G or more of memory) by specifying --with-tuning= +large on the configure command line. This can improve performance on big +servers, but will consume more memory and may degrade performance on +smaller systems. + +For the server to support DNSSEC, you need to build it with crypto +support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer +installed. If the OpenSSL library is installed in a nonstandard location, +specify the prefix using "--with-openssl=/prefix" on the configure command +line. To use a PKCS#11 hardware service module for cryptographic +operations, specify the path to the PKCS#11 provider library using +"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11". + +To support the HTTP statistics channel, the server must be linked with +libxml2 http://xmlsoft.org If this is installed at a nonstandard location, +specify the prefix using --with-libxml2=/prefix. + +Python requires the 'argparse' module to be available. 'argparse' is a +standard module as of Python 2.7 and Python 3.2. + +On some platforms it is necessary to explicitly request large file support +to handle files bigger than 2GB. This can be done by using +--enable-largefile on the configure command line. + +Support for the "fixed" rrset-order option can be enabled or disabled by +specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure +command line. By default, fixed rrset-order is disabled to reduce memory +footprint. + +If your operating system has integrated support for IPv6, it will be used +automatically. If you have installed KAME IPv6 separately, use --with-kame +[=PATH] to specify its location. + +make install will install named and the various BIND 9 libraries. By +default, installation is into /usr/local, but this can be changed with the +--prefix option when running configure. + +You may specify the option --sysconfdir to set the directory where +configuration files like named.conf go by default, and --localstatedir to +set the default parent directory of run/named.pid. For backwards +compatibility with BIND 8, --sysconfdir defaults to /etc and +--localstatedir defaults to /var if no --prefix option is given. If there +is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir +defaults to $prefix/var. + +Automated testing + +A system test suite can be run with make test. The system tests require +you to configure a set of virtual IP addresses on your system (this allows +multiple servers to run locally and communicate with one another). These +IP addresses can be configured by by running the script bin/tests/system/ +ifconfig.sh up as root. + +Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, +and will be skipped if these are not available. Some tests require Python +and the 'dnspython' module and will be skipped if these are not available. +See bin/tests/system/README for further details. + +Unit tests are implemented using Automated Testing Framework (ATF). To run +them, use configure --with-atf, then run make test or make unit. + +Documentation + +The BIND 9 Administrator Reference Manual is included with the source +distribution, in DocBook XML, HTML and PDF format, in the doc/arm +directory. + +Some of the programs in the BIND 9 distribution have man pages in their +directories. In particular, the command line options of named are +documented in bin/named/named.8. + +Frequently (and not-so-frequently) asked questions and their answers can +be found in the ISC Knowledge Base at https://kb.isc.org. + +Additional information on various subjects can be found in other README +files throughout the source tree. + +Change log + +A detailed list of all changes that have been made throughout the +development BIND 9 is included in the file CHANGES, with the most recent +changes listed first. Change notes include tags indicating the category of +the change that was made; these categories are: + +Category Description +[func] New feature +[bug] General bug fix +[security] Fix for a significant security flaw +[experimental] Used for new features when the syntax or other aspects of + the design are still in flux and may change +[port] Portability enhancement +[maint] Updates to built-in data such as root server addresses and + keys +[tuning] Changes to built-in configuration defaults and constants to + improve performance +[performance] Other changes to improve server performance +[protocol] Updates to the DNS protocol such as new RR types +[test] Changes to the automatic tests, not affecting server + functionality +[cleanup] Minor corrections and refactoring +[doc] Documentation +[contrib] Changes to the contributed tools and libraries in the + 'contrib' subdirectory + Used in the master development branch to reserve change +[placeholder] numbers for use in other branches, e.g. when fixing a bug + that only exists in older releases + +In general, [func] and [experimental] tags will only appear in new-feature +releases (i.e., those with version numbers ending in zero). Some new +functionality may be backported to older releases on a case-by-case basis. +All other change types may be applied to all currently-supported releases. + +Acknowledgments + + * The original development of BIND 9 was underwritten by the following + organizations: + + Sun Microsystems, Inc. + Hewlett Packard + Compaq Computer Corporation + IBM + Process Software Corporation + Silicon Graphics, Inc. + Network Associates, Inc. + U.S. Defense Information Systems Agency + USENIX Association + Stichting NLnet - NLnet Foundation + Nominum, Inc. + + * This product includes software developed by the OpenSSL Project for + use in the OpenSSL Toolkit. http://www.OpenSSL.org/ + * This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com) + * This product includes software written by Tim Hudson + (tjh@cryptsoft.com) + diff --git a/README.md b/README.md index 8f7f9fed01..083a46ceb5 100644 --- a/README.md +++ b/README.md @@ -262,9 +262,6 @@ To build on a UNIX or Linux system, use: $ ./configure $ make -(NOTE: Using multiple processors in `make` is not reliable and is not -advised.) - If you're planning on making changes to the BIND 9 source, you should run `make depend`. If you're using Emacs, you might find `make tags` helpful. diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index d93b059f64..408373e662 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -106,8 +106,7 @@ RRLSRCS = rrl.c SRCS = ${DSTSRCS} ${DNSSRCS} @RRLLINKSRCS@ SUBDIRS = include -TARGETS = include/dns/enumtype.h include/dns/enumclass.h \ - include/dns/rdatastruct.h timestamp +TARGETS = timestamp TESTDIRS = @UNITTESTS@ DEPENDEXTRA = ./gen -F include/dns/rdatastruct.h \ @@ -133,31 +132,11 @@ libdns.la: ${OBJS} -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -timestamp: libdns.@A@ - touch timestamp - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - -install:: timestamp installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} - -uninstall:: - ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ - -clean distclean:: - rm -f libdns.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - -newrr:: - rm -f code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - -include: include/dns/enumtype.h include/dns/enumclass.h \ - include/dns/rdatastruct.h - -rdata.@O@: code.h +include: gen + ${MAKE} include/dns/enumtype.h + ${MAKE} include/dns/enumclass.h + ${MAKE} include/dns/rdatastruct.h + ${MAKE} code.h include/dns/enumtype.h: gen ./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; } @@ -180,13 +159,38 @@ gen: gen.c ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} -rbtdb64.@O@: rbtdb.c +timestamp: include libdns.@A@ + touch timestamp -depend: include/dns/enumtype.h include/dns/enumclass.h \ - include/dns/rdatastruct.h code.h -subdirs: include/dns/enumtype.h include/dns/enumclass.h \ - include/dns/rdatastruct.h code.h -${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \ +testdirs: libdns.@A@ + +installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + +install:: timestamp installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} + +uninstall:: + ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ + +clean distclean:: + rm -f libdns.@A@ timestamp + rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + +newrr:: + rm -f code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + +include: include/dns/enumtype.h include/dns/enumclass.h \ include/dns/rdatastruct.h +rdata.@O@: include + +rbtdb64.@O@: rbtdb.c + +depend: include +subdirs: include +${OBJS}: include + spnego.@O@: spnego_asn1.c spnego.h diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in index fc302b2776..8c18bc04c1 100644 --- a/lib/irs/Makefile.in +++ b/lib/irs/Makefile.in @@ -71,6 +71,8 @@ libirs.la: ${OBJS} version.@O@ timestamp: libirs.@A@ touch timestamp +testdirs: libirs.@A@ + installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in index 30303f14c7..0b0da87ef5 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -129,6 +129,8 @@ libisc-nosymtbl.la: ${OBJS} timestamp: libisc.@A@ libisc-nosymtbl.@A@ touch timestamp +testdirs: libisc.@A@ libisc-nosymtbl.@A@ + installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in index bb79ae08c4..cb9a752914 100644 --- a/lib/lwres/Makefile.in +++ b/lib/lwres/Makefile.in @@ -74,6 +74,8 @@ liblwres.la: ${OBJS} version.@O@ timestamp: liblwres.@A@ touch timestamp +testdirs: liblwres.@A@ + installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}