diff --git a/HISTORY b/HISTORY index a397e04d22..9a3b759996 100644 --- a/HISTORY +++ b/HISTORY @@ -1,134 +1,5 @@ -Functional enhancements from prior major releases of BIND 9 +Summary of functional enhancements from prior major releases of BIND 9: -BIND 9.11 - -BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier -releases. New features include: - - * Added support for Catalog Zones, a new method for provisioning - servers: a list of zones to be served is stored in a DNS zone, along - with their configuration parameters. Changes to the catalog zone are - propagated to slaves via normal AXFR/IXFR, whereupon the zones that - are listed in it are automatically added, deleted or reconfigured. - * Added support for "dnstap", a fast and flexible method of capturing - and logging DNS traffic. - * Added support for "dyndb", a new API for loading zone data from an - external database, developed by Red Hat for the FreeIPA project. - * "fetchlimit" quotas are now compiled in by default. These are for the - use of recursive resolvers that are are under high query load for - domains whose authoritative servers are nonresponsive or are - experiencing a denial of service attack: - + "fetches-per-server" limits the number of simultaneous queries - that can be sent to any single authoritative server. The - configured value is a starting point; it is automatically adjusted - downward if the server is partially or completely non-responsive. - The algorithm used to adjust the quota can be configured via the - "fetch-quota-params" option. - + "fetches-per-zone" limits the number of simultaneous queries that - can be sent for names within a single domain. (Note: Unlike - "fetches-per-server", this value is not self-tuning.) - + New stats counters have been added to count queries spilled due to - these quotas. - * Added a new "dnssec-keymgr" key mainenance utility, which can generate - or update keys as needed to ensure that a zone's keys match a defined - DNSSEC policy. - * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" - and is no longer optional. EDNS COOKIE is a mechanism enabling clients - to detect off-path spoofed responses, and servers to detect - spoofed-source queries. Clients that identify themselves using COOKIE - options are not subject to response rate limiting (RRL) and can - receive larger UDP responses. - * SERVFAIL responses can now be cached for a limited time (defaulting to - 1 second, with an upper limit of 30). This can reduce the frequency of - retries when a query is persistently failing. - * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to - be skipped if a name server IP address isn't in the cache yet; the - address will be looked up and the rule will be applied on future - queries. - * Added a Python RNDC module. This allows multiple commands to sent over - a persistent RNDC channel, which saves time. - * The "controls" block in named.conf can now grant read-only "rndc" - access to specified clients or keys. Read-only clients could, for - example, check "rndc status" but could not reconfigure or shut down - the server. - * "rndc" commands can now return arbitrarily large amounts of text to - the caller. - * The zone serial number of a dynamically updatable zone can now be set - via "rndc signing -serial ". This allows inline-signing zones to be - set to a specific serial number. - * The new "rndc nta" command can be used to set a Negative Trust Anchor - (NTA), disabling DNSSEC validation for a specific domain; this can be - used when responses from a domain are known to be failing validation - due to administrative error rather than because of a spoofing attack. - Negative trust anchors are strictly temporary; by default they expire - after one hour, but can be configured to last up to one week. - * "rndc delzone" can now be used on zones that were not originally - created by "rndc addzone". - * "rndc modzone" reconfigures a single zone, without requiring the - entire server to be reconfigured. - * "rndc showzone" displays the current configuration of a zone. - * "rndc managed-keys" can be used to check the status of RFC 5001 - managed trust anchors, or to force trust anchors to be refreshed. - * "max-cache-size" can now be set to a percentage of available memory. - The default is 90%. - * Update forwarding performance has been improved by allowing a single - TCP connection to be shared by multiple updates. - * The EDNS Client Subnet (ECS) option is now supported for authoritative - servers; if a query contains an ECS option then ACLs containing - "geoip" or "ecs" elements can match against the the address encoded in - the option. This can be used to select a view for a query, so that - different answers can be provided depending on the client network. - * The EDNS EXPIRE option has been implemented on the client side, - allowing a slave server to set the expiration timer correctly when - transferring zone data from another slave server. - * The key generation and manipulation tools (dnssec-keygen, - dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take - "-Psync" and "-Dsync" options to set the publication and deletion - times of CDS and CDNSKEY parent-synchronization records. Both named - and dnssec-signzone can now publish and remove these records at the - scheduled times. - * A new "minimal-any" option reduces the size of UDP responses for query - type ANY by returning a single arbitrarily selected RRset instead of - all RRsets. - * A new "masterfile-style" zone option controls the formatting of text - zone files: When set to "full", a zone file is dumped in - single-line-per-record format. - * "serial-update-method" can now be set to "date". On update, the serial - number will be set to the current date in YYYYMMDDNN format. - * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. - * "named -L " causes named to send log messages to the specified file by - default instead of to the system log. - * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, - s for weeks, days, hours, minutes, and seconds. - * "dig +unknownformat" prints dig output in RFC 3597 "unknown record" - presentation format. - * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests. - * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on - requests. - * "mdig" is an alternate version of dig which sends multiple pipelined - TCP queries to a server. Instead of waiting for a response after - sending a query, it sends all queries immediately and displays - responses in the order received. - * "serial-query-rate" no longer controls NOTIFY messages. These are - separately controlled by "notify-rate" and "startup-notify-rate". - * "nsupdate" now performs "check-names" processing by default on records - to be added. This can be disabled with "check-names no". - * The statistics channel now supports DEFLATE compression, reducing the - size of the data sent over the network when querying statistics. - * New counters have been added to the statistics channel to track the - sizes of incoming queries and outgoing responses in histogram buckets, - as specified in RSSAC002. - * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been - added, allowing redirection to a specified DNS namespace instead of a - single redirect zone. - * When starting up, named now ensures that no other named process is - already running. - * Files created by named to store information, including "mkeys" and - "nzf" files, are now named after their corresponding views unless the - view name contains characters incompatible with use as a filename. Old - style filenames (based on the hash of the view name) will still work. - -<<<<<<< HEAD BIND 9.8.0 BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier @@ -180,400 +51,315 @@ BIND 9.7.0 dig, host, nslookup and nsupdate. - Improved PKCS#11 support, including Keyper support and explicit OpenSSL engine selection. -======= -BIND 9.10.0 - -BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier -releases. New features include: - - * DNS Response-rate limiting (DNS RRL), which blunts the impact of - reflection and amplification attacks, is always compiled in and no - longer requires a compile-time option to enable it. - * An experimental "Source Identity Token" (SIT) EDNS option is now - available. Similar to DNS Cookies as invented by Donald Eastlake 3rd, - these are designed to enable clients to detect off-path spoofed - responses, and to enable servers to detect spoofed-source queries. - Servers can be configured to send smaller responses to clients that - have not identified themselves using a SIT option, reducing the - effectiveness of amplification attacks. RRL processing has also been - updated; clients proven to be legitimate via SIT are not subject to - rate limiting. Use "configure --enable-sit" to enable this feature in - BIND. - * A new zone file format, "map", stores zone data in a format that can - be mapped directly into memory, allowing significantly faster zone - loading. - * "delv" (domain entity lookup and validation) is a new tool with - dig-like semantics for looking up DNS data and performing internal - DNSSEC validation. This allows easy validation in environments where - the resolver may not be trustworthy, and assists with troubleshooting - of DNSSEC problems. (NOTE: In previous development releases of BIND - 9.10, this utility was called "delve". The spelling has been changed - to avoid confusion with the "delve" utility included with the Xapian - search engine.) - * Improved EDNS(0) processing for better resolver performance and - reliability over slow or lossy connections. - * A new "configure --with-tuning=large" option tunes certain compiled-in - constants and default settings to values better suited to large - servers with abundant memory. This can improve performance on such - servers, but will consume more memory and may degrade performance on - smaller systems. - * Substantial improvement in response-policy zone (RPZ) performance. Up - to 32 response-policy zones can be configured with minimal performance - loss. - * To improve recursive resolver performance, cache records which are - still being requested by clients can now be automatically refreshed - from the authoritative server before they expire, reducing or - eliminating the time window in which no answer is available in the - cache. - * New "rpz-client-ip" triggers and drop policies allowing response - policies based on the IP address of the client. - * ACLs can now be specified based on geographic location using the - MaxMind GeoIP databases. Use "configure --with-geoip" to enable. - * Zone data can now be shared between views, allowing multiple views to - serve the same zones authoritatively without storing multiple copies - in memory. - * New XML schema (version 3) for the statistics channel includes many - new statistics and uses a flattened XML tree for faster parsing. The - older schema is now deprecated. - * A new stylesheet, based on the Google Charts API, displays XML - statistics in charts and graphs on javascript-enabled browsers. - * The statistics channel can now provide data in JSON format as well as - XML. - * New stats counters track TCP and UDP queries received per zone, and - EDNS options received in total. - * The internal and export versions of the BIND libraries (libisc, - libdns, etc) have been unified so that external library clients can - use the same libraries as BIND itself. - * A new compile-time option, "configure --enable-native-pkcs11", allows - BIND 9 cryptography functions to use the PKCS#11 API natively, so that - BIND can drive a cryptographic hardware service module (HSM) directly - instead of using a modified OpenSSL as an intermediary. (Note: This - feature requires an HSM to have a full implementation of the PKCS#11 - API; many current HSMs only have partial implementations. The new - "pkcs11-tokens" command can be used to check API completeness. Native - PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM - version 2 from the Open DNSSEC project.) - * The new "max-zone-ttl" option enforces maximum TTLs for zones. This - can simplify the process of rolling DNSSEC keys by guaranteeing that - cached signatures will have expired within the specified amount of - time. - * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying. - * "dig +expire" sends an EDNS EXPIRE option when querying. When this - option is sent with an SOA query to a server that supports it, it will - report the expiry time of a slave zone. - * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and - report if a lapse in signing coverage has been inadvertently - scheduled. - * Signing algorithm flexibility and other improvements for the "rndc" - control channel. - * "named-checkzone" and "named-compilezone" can now read journal files, - allowing them to process dynamic zones. - * Multiple DLZ databases can now be configured. Individual zones can be - configured to be served from a specific DLZ database. DLZ databases - now serve zones of type "master" and "redirect". - * "rndc zonestatus" reports information about a specified zone. - * "named" now listens on IPv6 as well as IPv4 interfaces by default. - * "named" now preserves the capitalization of names when responding to - queries: for instance, a query for "example.com" may be answered with - "example.COM" if the name was configured that way in the zone file. - Some clients have a bug causing them to depend on the older behavior, - in which the case of the answer always matched the case of the query, - rather than the case of the name configured in the DNS. Such clients - can now be specified in the new "no-case-compress" ACL; this will - restore the older behavior of "named" for those clients only. - * new "dnssec-importkey" command allows the use of offline DNSSEC keys - with automatic DNSKEY management. - * New "named-rrchecker" tool to verify the syntactic correctness of - individual resource records. - * When re-signing a zone, the new "dnssec-signzone -Q" option drops - signatures from keys that are still published but are no longer - active. - * "named-checkconf -px" will print the contents of configuration files - with the shared secrets obscured, making it easier to share - configuration (e.g. when submitting a bug report) without revealing - private information. - * "rndc scan" causes named to re-scan network interfaces for changes in - local addresses. - * On operating systems with support for routing sockets, network - interfaces are re-scanned automatically whenever they change. - * "tsig-keygen" is now available as an alternate command name to use for - "ddns-confgen". - -BIND 9.9.0 - -BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier -releases. New features include: - - * Inline signing, allowing automatic DNSSEC signing of master zones - without modification of the zonefile, or "bump in the wire" signing in - slaves. - * NXDOMAIN redirection. - * New 'rndc flushtree' command clears all data under a given name from - the DNS cache. - * New 'rndc sync' command dumps pending changes in a dynamic zone to - disk without a freeze/thaw cycle. - * New 'rndc signing' command displays or clears signing status records - in 'auto-dnssec' zones. - * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to - signing, eliminating the need to initially sign with NSEC. - * Startup time improvements on large authoritative servers. - * Slave zones are now saved in raw format by default. - * Several improvements to response policy zones (RPZ). - * Improved hardware scalability by using multiple threads to listen for - queries and using finer-grained client locking - * The 'also-notify' option now takes the same syntax as 'masters', so it - can used named masterlists and TSIG keys. - * 'dnssec-signzone -D' writes an output file containing only DNSSEC - data, which can be included by the primary zone file. - * 'dnssec-signzone -R' forces removal of signatures that are not expired - but were created by a key which no longer exists. - * 'dnssec-signzone -X' allows a separate expiration date to be specified - for DNSKEY signatures from other signatures. - * New '-L' option to dnssec-keygen, dnssec-settime, and - dnssec-keyfromlabel sets the default TTL for the key. - * dnssec-dsfromkey now supports reading from standard input, to make it - easier to convert DNSKEY to DS. - * RFC 1918 reverse zones have been added to the empty-zones table per - RFC 6303. - * Dynamic updates can now optionally set the zone's SOA serial number to - the current UNIX time. - * DLZ modules can now retrieve the source IP address of the querying - client. - * 'request-ixfr' option can now be set at the per-zone level. - * 'dig +rrcomments' turns on comments about DNSKEY records, indicating - their key ID, algorithm and function - * Simplified nsupdate syntax and added readline support - -BIND 9.8.0 - -BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier -releases. New features include: - - * Built-in trust anchor for the root zone, which can be switched on via - "dnssec-validation auto;" - * Support for DNS64. - * Support for response policy zones (RPZ). - * Support for writable DLZ zones. - * Improved ease of configuration of GSS/TSIG for interoperability with - Active Directory - * Support for GOST signing algorithm for DNSSEC. - * Removed RTT Banding from server selection algorithm. - * New "static-stub" zone type. - * Allow configuration of resolver timeouts via "resolver-query-timeout" - option. - * The DLZ "dlopen" driver is now built by default. - * Added a new include file with function typedefs for the DLZ "dlopen" - driver. - * Made "--with-gssapi" default. - * More verbose error reporting from DLZ LDAP. - -BIND 9.7.0 - -BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier -releases. Most are intended to simplify DNSSEC configuration. New features -include: - - * Fully automatic signing of zones by "named". - * Simplified configuration of DNSSEC Lookaside Validation (DLV). - * Simplified configuration of Dynamic DNS, using the "ddns-confgen" - command line tool or the "local" update-policy option. (As a side - effect, this also makes it easier to configure automatic zone - re-signing.) - * New named option "attach-cache" that allows multiple views to share a - single cache. - * DNS rebinding attack prevention. - * New default values for dnssec-keygen parameters. - * Support for RFC 5011 automated trust anchor maintenance - * Smart signing: simplified tools for zone signing and key maintenance. - * The "statistics-channels" option is now available on Windows. - * A new DNSSEC-aware libdns API for use by non-BIND9 applications - * On some platforms, named and other binaries can now print out a stack - backtrace on assertion failure, to aid in debugging. - * A "tools only" installation mode on Windows, which only installs dig, - host, nslookup and nsupdate. - * Improved PKCS#11 support, including Keyper support and explicit - OpenSSL engine selection. ->>>>>>> 95f7e98... [master] update README, remove FAQ BIND 9.6.0 - * Full NSEC3 support - * Automatic zone re-signing - * New update-policy methods tcp-self and 6to4-self - * The BIND 8 resolver library, libbind, has been removed from the BIND 9 - distribution and is now available as a separate download. - * Change the default pid file location from /var/run to /var/run/ - {named,lwresd} for improved chroot/setuid support. + Full NSEC3 support + + Automatic zone re-signing + + New update-policy methods tcp-self and 6to4-self + + The BIND 8 resolver library, libbind, has been removed from the + BIND 9 distribution and is now available as a separate download. + + Change the default pid file location from /var/run to + /var/run/{named,lwresd} for improved chroot/setuid support. BIND 9.5.0 - * GSS-TSIG support (RFC 3645). - * DHCID support. - * Experimental http server and statistics support for named via xml. - * More detailed statistics counters including those supported in BIND 8. - * Faster ACL processing. - * Use Doxygen to generate internal documentation. - * Efficient LRU cache-cleaning mechanism. - * NSID support. + GSS-TSIG support (RFC 3645). + + DHCID support. + + Experimental http server and statistics support for named via xml. + + More detailed statistics counters including those supported in BIND 8. + + Faster ACL processing. + + Use Doxygen to generate internal documentation. + + Efficient LRU cache-cleaning mechanism. + + NSID support. BIND 9.4.0 - * Implemented "additional section caching (or acache)", an internal - cache framework for additional section content to improve response - performance. Several configuration options were provided to control - the behavior. - * New notify type 'master-only'. Enable notify for master zones only. - * Accept 'notify-source' style syntax for query-source. - * rndc now allows addresses to be set in the server clauses. - * New option "allow-query-cache". This lets "allow-query" be used to - specify the default zone access level rather than having to have every - zone override the global value. "allow-query-cache" can be set at both - the options and view levels. If "allow-query-cache" is not set then - "allow-recursion" is used if set, otherwise "allow-query" is used if - set unless "recursion no;" is set in which case "none;" is used, - otherwise the default (localhost; localnets;) is used. - * rndc: the source address can now be specified. - * ixfr-from-differences now takes master and slave in addition to yes - and no at the options and view levels. - * Allow the journal's name to be changed via named.conf. - * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the - specified zone. - * 'dig +trace' now randomly selects the next servers to try. Report if - there is a bad delegation. - * Improve check-names error messages. - * Make public the function to read a key file, dst_key_read_public(). - * dig now returns the byte count for axfr/ixfr. - * allow-update is now settable at the options / view level. - * named-checkconf now checks the logging configuration. - * host now can turn on memory debugging flags with '-m'. - * Don't send notify messages to self. - * Perform sanity checks on NS records which refer to 'in zone' names. - * New zone option "notify-delay". Specify a minimum delay between sets - of NOTIFY messages. - * Extend adjusting TTL warning messages. - * Named and named-checkzone can now both check for non-terminal wildcard - records. - * "rndc freeze/thaw" now freezes/thaws all zones. - * named-checkconf now check acls to verify that they only refer to - existing acls. - * The server syntax has been extended to support a range of servers. - * Report differences between hints and real NS rrset and associated - address records. - * Preserve the case of domain names in rdata during zone transfers. - * Restructured the data locking framework using architecture dependent - atomic operations (when available), improving response performance on - multi-processor machines significantly. x86, x86_64, alpha, powerpc, - and mips are currently supported. - * UNIX domain controls are now supported. - * Add support for additional zone file formats for improving loading - performance. The masterfile-format option in named.conf can be used to - specify a non-default format. A separate command named-compilezone was - provided to generate zone files in the new format. Additionally, the - -I and -O options for dnssec-signzone specify the input and output - formats. - * dnssec-signzone can now randomize signature end times (dnssec-signzone - -j jitter). - * Add support for CH A record. - * Add additional zone data constancy checks. named-checkzone has - extended checking of NS, MX and SRV record and the hosts they - reference. named has extended post zone load checks. New zone options: - check-mx and integrity-check. - * edns-udp-size can now be overridden on a per server basis. - * dig can now specify the EDNS version when making a query. - * Added framework for handling multiple EDNS versions. - * Additional memory debugging support to track size and mctx arguments. - * Detect duplicates of UDP queries we are recursing on and drop them. - New stats category "duplicates". - * "USE INTERNAL MALLOC" is now runtime selectable. - * The lame cache is now done on a basis as some servers only appear to - be lame for certain query types. - * Limit the number of recursive clients that can be waiting for a single - query () to resolve. New options clients-per-query and - max-clients-per-query. - * dig: report the number of extra bytes still left in the packet after - processing all the records. - * Support for IPSECKEY rdata type. - * Raise the UDP recieve buffer size to 32k if it is less than 32k. - * x86 and x86_64 now have seperate atomic locking implementations. - * named-checkconf now validates update-policy entries. - * Attempt to make the amount of work performed in a iteration self - tuning. The covers nodes clean from the cache per iteration, nodes - written to disk when rewriting a master file and nodes destroyed per - iteration when destroying a zone or a cache. - * ISC string copy API. - * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC - 1918 zones are not yet covered by this but are likely to be in a - future release. - * New options: empty-server, empty-contact, empty-zones-enable and - disable-empty-zone. - * dig now has a '-q queryname' and '+showsearch' options. - * host/nslookup now continue (default)/fail on SERVFAIL. - * dig now warns if 'RA' is not set in the answer when 'RD' was set in - the query. host/nslookup skip servers that fail to set 'RA' when 'RD' - is set unless a server is explicitly set. - * Integrate contibuted DLZ code into named. - * Integrate contibuted IDN code from JPNIC. - * libbind: corresponds to that from BIND 8.4.7. + Implemented "additional section caching (or acache)", an + internal cache framework for additional section content to + improve response performance. Several configuration options + were provided to control the behavior. + + New notify type 'master-only'. Enable notify for master + zones only. + + Accept 'notify-source' style syntax for query-source. + + rndc now allows addresses to be set in the server clauses. + + New option "allow-query-cache". This lets "allow-query" + be used to specify the default zone access level rather + than having to have every zone override the global value. + "allow-query-cache" can be set at both the options and view + levels. If "allow-query-cache" is not set then "allow-recursion" + is used if set, otherwise "allow-query" is used if set + unless "recursion no;" is set in which case "none;" is used, + otherwise the default (localhost; localnets;) is used. + + rndc: the source address can now be specified. + + ixfr-from-differences now takes master and slave in addition + to yes and no at the options and view levels. + + Allow the journal's name to be changed via named.conf. + + 'rndc notify zone [class [view]]' resend the NOTIFY messages + for the specified zone. + + 'dig +trace' now randomly selects the next servers to try. + Report if there is a bad delegation. + + Improve check-names error messages. + + Make public the function to read a key file, dst_key_read_public(). + + dig now returns the byte count for axfr/ixfr. + + allow-update is now settable at the options / view level. + + named-checkconf now checks the logging configuration. + + host now can turn on memory debugging flags with '-m'. + + Don't send notify messages to self. + + Perform sanity checks on NS records which refer to 'in zone' names. + + New zone option "notify-delay". Specify a minimum delay + between sets of NOTIFY messages. + + Extend adjusting TTL warning messages. + + Named and named-checkzone can now both check for non-terminal + wildcard records. + + "rndc freeze/thaw" now freezes/thaws all zones. + + named-checkconf now check acls to verify that they only + refer to existing acls. + + The server syntax has been extended to support a range of + servers. + + Report differences between hints and real NS rrset and + associated address records. + + Preserve the case of domain names in rdata during zone + transfers. + + Restructured the data locking framework using architecture + dependent atomic operations (when available), improving + response performance on multi-processor machines significantly. + x86, x86_64, alpha, powerpc, and mips are currently supported. + + UNIX domain controls are now supported. + + Add support for additional zone file formats for improving + loading performance. The masterfile-format option in + named.conf can be used to specify a non-default format. A + separate command named-compilezone was provided to generate + zone files in the new format. Additionally, the -I and -O + options for dnssec-signzone specify the input and output + formats. + + dnssec-signzone can now randomize signature end times + (dnssec-signzone -j jitter). + + Add support for CH A record. + + Add additional zone data constancy checks. named-checkzone + has extended checking of NS, MX and SRV record and the hosts + they reference. named has extended post zone load checks. + New zone options: check-mx and integrity-check. + + + edns-udp-size can now be overridden on a per server basis. + + dig can now specify the EDNS version when making a query. + + Added framework for handling multiple EDNS versions. + + Additional memory debugging support to track size and mctx + arguments. + + Detect duplicates of UDP queries we are recursing on and + drop them. New stats category "duplicates". + + "USE INTERNAL MALLOC" is now runtime selectable. + + The lame cache is now done on a basis + as some servers only appear to be lame for certain query + types. + + Limit the number of recursive clients that can be waiting + for a single query () to resolve. New + options clients-per-query and max-clients-per-query. + + dig: report the number of extra bytes still left in the + packet after processing all the records. + + Support for IPSECKEY rdata type. + + Raise the UDP recieve buffer size to 32k if it is less than 32k. + + x86 and x86_64 now have seperate atomic locking implementations. + + named-checkconf now validates update-policy entries. + + Attempt to make the amount of work performed in a iteration + self tuning. The covers nodes clean from the cache per + iteration, nodes written to disk when rewriting a master + file and nodes destroyed per iteration when destroying a + zone or a cache. + + ISC string copy API. + + Automatic empty zone creation for D.F.IP6.ARPA and friends. + Note: RFC 1918 zones are not yet covered by this but are + likely to be in a future release. + + New options: empty-server, empty-contact, empty-zones-enable + and disable-empty-zone. + + dig now has a '-q queryname' and '+showsearch' options. + + host/nslookup now continue (default)/fail on SERVFAIL. + + dig now warns if 'RA' is not set in the answer when 'RD' + was set in the query. host/nslookup skip servers that fail + to set 'RA' when 'RD' is set unless a server is explicitly + set. + + Integrate contibuted DLZ code into named. + + Integrate contibuted IDN code from JPNIC. + + libbind: corresponds to that from BIND 8.4.7. BIND 9.3.0 - * DNSSEC is now DS based (RFC 3658). - * DNSSEC lookaside validation. - * check-names is now implemented. - * rrset-order is more complete. - * IPv4/IPv6 transition support, dual-stack-servers. - * IXFR deltas can now be generated when loading master files, - ixfr-from-differences. - * It is now possible to specify the size of a journal, max-journal-size. - * It is now possible to define a named set of master servers to be used - in masters clause, masters. - * The advertised EDNS UDP size can now be set, edns-udp-size. - * allow-v6-synthesis has been obsoleted. - * Zones containing MD and MF will now be rejected. - * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than - NOTIMPL. This will have impact on scripts that are looking for - NOTIMPL. - * libbind: corresponds to that from BIND 8.4.5. + DNSSEC is now DS based (RFC 3658). + See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. + + DNSSEC lookaside validation. + + check-names is now implemented. + rrset-order in more complete. + + IPv4/IPv6 transition support, dual-stack-servers. + + IXFR deltas can now be generated when loading master files, + ixfr-from-differences. + + It is now possible to specify the size of a journal, max-journal-size. + + It is now possible to define a named set of master servers to be + used in masters clause, masters. + + The advertised EDNS UDP size can now be set, edns-udp-size. + + allow-v6-synthesis has been obsoleted. + + NOTE: + * Zones containing MD and MF will now be rejected. + * dig, nslookup name. now report "Not Implemented" as + NOTIMP rather than NOTIMPL. This will have impact on scripts + that are looking for NOTIMPL. + + libbind: corresponds to that from BIND 8.4.5. BIND 9.2.0 - * The size of the cache can now be limited using the "max-cache-size" - option. - * The server can now automatically convert RFC1886-style recursive - lookup requests into RFC2874-style lookups, when enabled using the new - option "allow-v6-synthesis". This allows stub resolvers that support - AAAA records but not A6 record chains or binary labels to perform - lookups in domains that make use of these IPv6 DNS features. - * Performance has been improved. - * The man pages now use the more portable "man" macros rather than the - "mandoc" macros, and are installed by "make install". - * The named.conf parser has been completely rewritten. It now supports - "include" directives in more places such as inside "view" statements, - and it no longer has any reserved words. - * The "rndc status" command is now implemented. - * rndc can now be configured automatically. - * A BIND 8 compatible stub resolver library is now included in lib/bind. - * OpenSSL has been removed from the distribution. This means that to use - DNSSEC, OpenSSL must be installed and the --with-openssl option must - be supplied to configure. This does not apply to the use of TSIG, - which does not require OpenSSL. - * The source distribution now builds on Windows. See win32utils/ - readme1.txt and win32utils/win32-build.txt for details. - * This distribution also includes a new lightweight stub resolver - library and associated resolver daemon that fully support forward and - reverse lookups of both IPv4 and IPv6 addresses. This library is - considered experimental and is not a complete replacement for the BIND - 8 resolver library. Applications that use the BIND 8 res_* functions - to perform DNS lookups or dynamic updates still need to be linked - against the BIND 8 libraries. For DNS lookups, they can also use the - new "getrrsetbyname()" API. - * BIND 9.2 is capable of acting as an authoritative server for DNSSEC - secured zones. This functionality is believed to be stable and - complete except for lacking support for verifications involving - wildcard records in secure zones. - * When acting as a caching server, BIND 9.2 can be configured to perform - DNSSEC secure resolution on behalf of its clients. This part of the - DNSSEC implementation is still considered experimental. For detailed - information about the state of the DNSSEC implementation, see the file - doc/misc/dnssec. + The size of the cache can now be limited using the + "max-cache-size" option. + The server can now automatically convert RFC1886-style recursive + lookup requests into RFC2874-style lookups, when enabled using the + new option "allow-v6-synthesis". This allows stub resolvers that + support AAAA records but not A6 record chains or binary labels to + perform lookups in domains that make use of these IPv6 DNS + features. + + Performance has been improved. + + The man pages now use the more portable "man" macros rather than + the "mandoc" macros, and are installed by "make install". + + The named.conf parser has been completely rewritten. It now + supports "include" directives in more places such as inside "view" + statements, and it no longer has any reserved words. + + The "rndc status" command is now implemented. + + rndc can now be configured automatically. + + A BIND 8 compatible stub resolver library is now included in + lib/bind. + + OpenSSL has been removed from the distribution. This means that to + use DNSSEC, OpenSSL must be installed and the --with-openssl option + must be supplied to configure. This does not apply to the use of + TSIG, which does not require OpenSSL. + + The source distribution now builds on Windows. See + win32utils/readme1.txt and win32utils/win32-build.txt for details. + + This distribution also includes a new lightweight stub + resolver library and associated resolver daemon that fully + support forward and reverse lookups of both IPv4 and IPv6 + addresses. This library is considered experimental and + is not a complete replacement for the BIND 8 resolver library. + Applications that use the BIND 8 res_* functions to perform + DNS lookups or dynamic updates still need to be linked against + the BIND 8 libraries. For DNS lookups, they can also use the + new "getrrsetbyname()" API. + + BIND 9.2 is capable of acting as an authoritative server + for DNSSEC secured zones. This functionality is believed to + be stable and complete except for lacking support for + verifications involving wildcard records in secure zones. + + When acting as a caching server, BIND 9.2 can be configured + to perform DNSSEC secure resolution on behalf of its clients. + This part of the DNSSEC implementation is still considered + experimental. For detailed information about the state of the + DNSSEC implementation, see the file doc/misc/dnssec. + + There are a few known bugs: + + On some systems, IPv6 and IPv4 sockets interact in + unexpected ways. For details, see doc/misc/ipv6. + To reduce the impact of these problems, the server + no longer listens for requests on IPv6 addresses + by default. If you need to accept DNS queries over + IPv6, you must specify "listen-on-v6 { any; };" + in the named.conf options statement. + + FreeBSD prior to 4.2 (and 4.2 if running as non-root) + and OpenBSD prior to 2.8 log messages like + "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". + This is due to a bug in "/dev/random" and impacts the + server's DNSSEC support. + + OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and + OS X 10.2 (Darwin 6.0) reports errors like + "fcntl(3, F_SETFL, 4): Operation not supported by device". + This is due to a bug in "/dev/random" and impacts the + server's DNSSEC support. + + --with-libtool does not work on AIX. + + A bug in some versions of the Microsoft DNS server can cause zone + transfers from a BIND 9 server to a W2K server to fail. For details, + see the "Zone Transfers" section in doc/misc/migration.