diff --git a/HISTORY b/HISTORY index e98f9b4146..6db5f2d88e 100644 --- a/HISTORY +++ b/HISTORY @@ -1,5 +1,56 @@ Summary of functional enhancements from prior major releases of BIND 9: +BIND 9.8.0 + + BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier + releases. New features include: + + - Built-in trust anchor for the root zone, which can be + switched on via "dnssec-validation auto;" + - Support for DNS64. + - Support for response policy zones (RPZ). + - Support for writable DLZ zones. + - Improved ease of configuration of GSS/TSIG for + interoperability with Active Directory + - Support for GOST signing algorithm for DNSSEC. + - Removed RTT Banding from server selection algorithm. + - New "static-stub" zone type. + - Allow configuration of resolver timeouts via + "resolver-query-timeout" option. + - The DLZ "dlopen" driver is now built by default. + - Added a new include file with function typedefs + for the DLZ "dlopen" driver. + - Made "--with-gssapi" default. + - More verbose error reporting from DLZ LDAP. + +BIND 9.7.0 + + BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier + releases. Most are intended to simplify DNSSEC configuration. + New features include: + + - Fully automatic signing of zones by "named". + - Simplified configuration of DNSSEC Lookaside Validation (DLV). + - Simplified configuration of Dynamic DNS, using the "ddns-confgen" + command line tool or the "local" update-policy option. (As a side + effect, this also makes it easier to configure automatic zone + re-signing.) + - New named option "attach-cache" that allows multiple views to + share a single cache. + - DNS rebinding attack prevention. + - New default values for dnssec-keygen parameters. + - Support for RFC 5011 automated trust anchor maintenance + - Smart signing: simplified tools for zone signing and key + maintenance. + - The "statistics-channels" option is now available on Windows. + - A new DNSSEC-aware libdns API for use by non-BIND9 applications + - On some platforms, named and other binaries can now print out + a stack backtrace on assertion failure, to aid in debugging. + - A "tools only" installation mode on Windows, which only installs + dig, host, nslookup and nsupdate. + - Improved PKCS#11 support, including Keyper support and explicit + OpenSSL engine selection. + BIND 9.6.0 Full NSEC3 support diff --git a/README b/README index b1519bfab5..07bb843353 100644 --- a/README +++ b/README @@ -1,67 +1,100 @@ BIND 9 - BIND version 9 is a major rewrite of nearly all aspects of the - underlying BIND architecture. Some of the important features of - BIND 9 are: + BIND version 9 is a major rewrite of nearly all aspects of the + underlying BIND architecture. Some of the important features of + BIND 9 are: - - DNS Security - DNSSEC (signed zones) - TSIG (signed DNS requests) + - DNS Security + DNSSEC (signed zones) + TSIG (signed DNS requests) - - IP version 6 - Answers DNS queries on IPv6 sockets - IPv6 resource records (AAAA) - Experimental IPv6 Resolver Library + - IP version 6 + Answers DNS queries on IPv6 sockets + IPv6 resource records (AAAA) + Experimental IPv6 Resolver Library - - DNS Protocol Enhancements - IXFR, DDNS, Notify, EDNS0 - Improved standards conformance + - DNS Protocol Enhancements + IXFR, DDNS, Notify, EDNS0 + Improved standards conformance - - Views - One server process can provide multiple "views" of - the DNS namespace, e.g. an "inside" view to certain - clients, and an "outside" view to others. + - Views + One server process can provide multiple "views" of + the DNS namespace, e.g. an "inside" view to certain + clients, and an "outside" view to others. - - Multiprocessor Support + - Multiprocessor Support - - Improved Portability Architecture + - Improved Portability Architecture - BIND version 9 development has been underwritten by the following - organizations: + BIND version 9 development has been underwritten by the following + organizations: - Sun Microsystems, Inc. - Hewlett Packard - Compaq Computer Corporation - IBM - Process Software Corporation - Silicon Graphics, Inc. - Network Associates, Inc. - U.S. Defense Information Systems Agency - USENIX Association - Stichting NLnet - NLnet Foundation - Nominum, Inc. + Sun Microsystems, Inc. + Hewlett Packard + Compaq Computer Corporation + IBM + Process Software Corporation + Silicon Graphics, Inc. + Network Associates, Inc. + U.S. Defense Information Systems Agency + USENIX Association + Stichting NLnet - NLnet Foundation + Nominum, Inc. - For a summary of functional enhancements in previous - releases, see the HISTORY file. + For a summary of functional enhancements in previous + releases, see the HISTORY file. - For a detailed list of user-visible changes from - previous releases, see the CHANGES file. + For a detailed list of user-visible changes from + previous releases, see the CHANGES file. For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes BIND 9.10.0 - Named now listens on both IPv4 and IPv6 interfaces by default. + BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier + releases. New features include: + + - DNS Response-rate limiting (DNS RRL) blunts the impact of + reflection and amplification attacks. + - New zone file format "map" is an image of a zone database + that can be loaded directly into memory, allowing much faster + zone loading. + - Up to 32 response-policy zones (RPZ) can now be configured. + RPZ performance has been substantially improved. + - ACLs can now be specified based on geographic location + using the MacMind GeoIP databases. + - New XML schema (version 3) for the statistics channel + includes many new statistics and uses a flattened XML tree + for faster parsing. + - A new stylesheet, based on the Google Charts API, displays + XML statistics in charts and graphs on javascript-enabled + browsers. + - The statistics channel can now provide data in JSON + format as well as XML. + - New 'dnssec-coverage' tool to check DNSSEC key coverage + for a zone and report if a lapse in signing coverage has + been inadvertently scheduled. + - Signing algorithm flexibility and other improvements + for the "rndc" control channel. + - 'named-checkzone' and 'named-compilezone' can now read + journal files, allowing them to process dynamic zones. + - Multiple DLZ databases can now be configured. Individual + zones can be configured to be served from a specific DLZ + database. DLZ databases now serve zones of type "master" + and "redirect". + - "rndc zonestatus" reports information about a specified zone. + - "named" now listens on IPv6 as well as IPv4 interfaces + by default. BIND 9.9.0 - BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier - releases. New features include: + BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier + releases. New features include: - Inline signing, allowing automatic DNSSEC signing of - master zones without modification of the zonefile, or + master zones without modification of the zonefile, or "bump in the wire" signing in slaves. - NXDOMAIN redirection. - New 'rndc flushtree' command clears all data under a given @@ -100,139 +133,115 @@ BIND 9.9.0 indicating their key ID, algorithm and function - Simplified nsupdate syntax and added readline support -BIND 9.8.0 - - BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier - releases. New features include: - - - Built-in trust anchor for the root zone, which can be - switched on via "dnssec-validation auto;" - - Support for DNS64. - - Support for response policy zones (RPZ). - - Support for writable DLZ zones. - - Improved ease of configuration of GSS/TSIG for - interoperability with Active Directory - - Support for GOST signing algorithm for DNSSEC. - - Removed RTT Banding from server selection algorithm. - - New "static-stub" zone type. - - Allow configuration of resolver timeouts via - "resolver-query-timeout" option. - - The DLZ "dlopen" driver is now built by default. - - Added a new include file with function typedefs - for the DLZ "dlopen" driver. - - Made "--with-gssapi" default. - - More verbose error reporting from DLZ LDAP. - - Building - BIND 9 currently requires a UNIX system with an ANSI C compiler, - basic POSIX support, and a 64 bit integer type. + BIND 9 currently requires a UNIX system with an ANSI C compiler, + basic POSIX support, and a 64 bit integer type. - We've had successful builds and tests on the following systems: + We've had successful builds and tests on the following systems: - COMPAQ Tru64 UNIX 5.1B - Fedora Core 6 - FreeBSD 4.10, 5.2.1, 6.2 - HP-UX 11.11 - Mac OS X 10.5 - NetBSD 3.x, 4.0-beta, 5.0-beta - OpenBSD 3.3 and up - Solaris 8, 9, 9 (x86), 10 - Ubuntu 7.04, 7.10 - Windows XP/2003/2008 + COMPAQ Tru64 UNIX 5.1B + Fedora Core 6 + FreeBSD 4.10, 5.2.1, 6.2 + HP-UX 11.11 + Mac OS X 10.5 + NetBSD 3.x, 4.0-beta, 5.0-beta + OpenBSD 3.3 and up + Solaris 8, 9, 9 (x86), 10 + Ubuntu 7.04, 7.10 + Windows XP/2003/2008 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of Windows, including Windows NT and Windows 2000, are no longer supported. - We have recent reports from the user community that a supported - version of BIND will build and run on the following systems: + We have recent reports from the user community that a supported + version of BIND will build and run on the following systems: - AIX 4.3, 5L - CentOS 4, 4.5, 5 - Darwin 9.0.0d1/ARM - Debian 4, 5, 6 - Fedora Core 5, 7, 8 - FreeBSD 6, 7, 8 - HP-UX 11.23 PA - MacOS X 10.5, 10.6, 10.7 - Red Hat Enterprise Linux 4, 5, 6 - SCO OpenServer 5.0.6 - Slackware 9, 10 - SuSE 9, 10 + AIX 4.3, 5L + CentOS 4, 4.5, 5 + Darwin 9.0.0d1/ARM + Debian 4, 5, 6 + Fedora Core 5, 7, 8 + FreeBSD 6, 7, 8 + HP-UX 11.23 PA + MacOS X 10.5, 10.6, 10.7 + Red Hat Enterprise Linux 4, 5, 6 + SCO OpenServer 5.0.6 + Slackware 9, 10 + SuSE 9, 10 - To build, just + To build, just - ./configure - make + ./configure + make - Do not use a parallel "make". + Do not use a parallel "make". - Several environment variables that can be set before running - configure will affect compilation: + Several environment variables that can be set before running + configure will affect compilation: - CC - The C compiler to use. configure tries to figure - out the right one for supported systems. + CC + The C compiler to use. configure tries to figure + out the right one for supported systems. - CFLAGS - C compiler flags. Defaults to include -g and/or -O2 - as supported by the compiler. Please include '-g' - if you need to set CFLAGS. + CFLAGS + C compiler flags. Defaults to include -g and/or -O2 + as supported by the compiler. Please include '-g' + if you need to set CFLAGS. - STD_CINCLUDES - System header file directories. Can be used to specify - where add-on thread or IPv6 support is, for example. - Defaults to empty string. + STD_CINCLUDES + System header file directories. Can be used to specify + where add-on thread or IPv6 support is, for example. + Defaults to empty string. - STD_CDEFINES - Any additional preprocessor symbols you want defined. - Defaults to empty string. + STD_CDEFINES + Any additional preprocessor symbols you want defined. + Defaults to empty string. - Possible settings: - Change the default syslog facility of named/lwresd. - -DISC_FACILITY=LOG_LOCAL0 - Enable DNSSEC signature chasing support in dig. - -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and - -DDIG_SIGCHASE_BU=1) - Disable dropping queries from particular well known ports. - -DNS_CLIENT_DROPPORT=0 - Sibling glue checking in named-checkzone is enabled by default. - To disable the default check set. -DCHECK_SIBLING=0 - named-checkzone checks out-of-zone addresses by default. - To disable this default set. -DCHECK_LOCAL=0 - To create the default pid files in ${localstatedir}/run rather - than ${localstatedir}/run/{named,lwresd}/ set. - -DNS_RUN_PID_DIR=0 - Enable workaround for Solaris kernel bug about /dev/poll - -DISC_SOCKET_USE_POLLWATCH=1 - The watch timeout is also configurable, e.g., - -DISC_SOCKET_POLLWATCH_TIMEOUT=20 + Possible settings: + Change the default syslog facility of named/lwresd. + -DISC_FACILITY=LOG_LOCAL0 + Enable DNSSEC signature chasing support in dig. + -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and + -DDIG_SIGCHASE_BU=1) + Disable dropping queries from particular well known ports. + -DNS_CLIENT_DROPPORT=0 + Sibling glue checking in named-checkzone is enabled by default. + To disable the default check set. -DCHECK_SIBLING=0 + named-checkzone checks out-of-zone addresses by default. + To disable this default set. -DCHECK_LOCAL=0 + To create the default pid files in ${localstatedir}/run rather + than ${localstatedir}/run/{named,lwresd}/ set. + -DNS_RUN_PID_DIR=0 + Enable workaround for Solaris kernel bug about /dev/poll + -DISC_SOCKET_USE_POLLWATCH=1 + The watch timeout is also configurable, e.g., + -DISC_SOCKET_POLLWATCH_TIMEOUT=20 - LDFLAGS - Linker flags. Defaults to empty string. + LDFLAGS + Linker flags. Defaults to empty string. - The following need to be set when cross compiling. + The following need to be set when cross compiling. - BUILD_CC - The native C compiler. - BUILD_CFLAGS (optional) - BUILD_CPPFLAGS (optional) - Possible Settings: - -DNEED_OPTARG=1 (optarg is not declared in ) - BUILD_LDFLAGS (optional) - BUILD_LIBS (optional) + BUILD_CC + The native C compiler. + BUILD_CFLAGS (optional) + BUILD_CPPFLAGS (optional) + Possible Settings: + -DNEED_OPTARG=1 (optarg is not declared in ) + BUILD_LDFLAGS (optional) + BUILD_LIBS (optional) - To build shared libraries, specify "--with-libtool" on the - configure command line. + To build shared libraries, specify "--with-libtool" on the + configure command line. - For the server to support DNSSEC, you need to build it - with crypto support. You must have OpenSSL 0.9.5a - or newer installed and specify "--with-openssl" on the - configure command line. If OpenSSL is installed under - a nonstandard prefix, you can tell configure where to - look for it using "--with-openssl=/prefix". + For the server to support DNSSEC, you need to build it + with crypto support. You must have OpenSSL 0.9.5a + or newer installed and specify "--with-openssl" on the + configure command line. If OpenSSL is installed under + a nonstandard prefix, you can tell configure where to + look for it using "--with-openssl=/prefix". To support the HTTP statistics channel, the server must be linked with at least one of the following: libxml2 @@ -240,90 +249,90 @@ Building If these are installed at a nonstandard prefix, use "--with-libxml2=/prefix" or "--with-libjson=/prefix". - On some platforms it is necessary to explictly request large - file support to handle files bigger than 2GB. This can be - done by "--enable-largefile" on the configure command line. + On some platforms it is necessary to explictly request large + file support to handle files bigger than 2GB. This can be + done by "--enable-largefile" on the configure command line. - On some platforms, BIND 9 can be built with multithreading - support, allowing it to take advantage of multiple CPUs. - You can specify whether to build a multithreaded BIND 9 - by specifying "--enable-threads" or "--disable-threads" - on the configure command line. The default is operating - system dependent. + On some platforms, BIND 9 can be built with multithreading + support, allowing it to take advantage of multiple CPUs. + You can specify whether to build a multithreaded BIND 9 + by specifying "--enable-threads" or "--disable-threads" + on the configure command line. The default is operating + system dependent. Support for the "fixed" rrset-order option can be enabled or disabled by specifying "--enable-fixed-rrset" or "--disable-fixed-rrset" on the configure command line. The default is "disabled", to reduce memory footprint. - If your operating system has integrated support for IPv6, it - will be used automatically. If you have installed KAME IPv6 - separately, use "--with-kame[=PATH]" to specify its location. + If your operating system has integrated support for IPv6, it + will be used automatically. If you have installed KAME IPv6 + separately, use "--with-kame[=PATH]" to specify its location. - "make install" will install "named" and the various BIND 9 libraries. - By default, installation is into /usr/local, but this can be changed - with the "--prefix" option when running "configure". + "make install" will install "named" and the various BIND 9 libraries. + By default, installation is into /usr/local, but this can be changed + with the "--prefix" option when running "configure". - You may specify the option "--sysconfdir" to set the directory - where configuration files like "named.conf" go by default, - and "--localstatedir" to set the default parent directory - of "run/named.pid". For backwards compatibility with BIND 8, - --sysconfdir defaults to "/etc" and --localstatedir defaults to - "/var" if no --prefix option is given. If there is a --prefix - option, sysconfdir defaults to "$prefix/etc" and localstatedir - defaults to "$prefix/var". + You may specify the option "--sysconfdir" to set the directory + where configuration files like "named.conf" go by default, + and "--localstatedir" to set the default parent directory + of "run/named.pid". For backwards compatibility with BIND 8, + --sysconfdir defaults to "/etc" and --localstatedir defaults to + "/var" if no --prefix option is given. If there is a --prefix + option, sysconfdir defaults to "$prefix/etc" and localstatedir + defaults to "$prefix/var". - To see additional configure options, run "configure --help". - Note that the help message does not reflect the BIND 8 - compatibility defaults for sysconfdir and localstatedir. + To see additional configure options, run "configure --help". + Note that the help message does not reflect the BIND 8 + compatibility defaults for sysconfdir and localstatedir. - If you're planning on making changes to the BIND 9 source, you - should also "make depend". If you're using Emacs, you might find - "make tags" helpful. + If you're planning on making changes to the BIND 9 source, you + should also "make depend". If you're using Emacs, you might find + "make tags" helpful. - If you need to re-run configure please run "make distclean" first. - This will ensure that all the option changes take. + If you need to re-run configure please run "make distclean" first. + This will ensure that all the option changes take. - Building with gcc is not supported, unless gcc is the vendor's usual - compiler (e.g. the various BSD systems, Linux). - - Known compiler issues: - * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. - * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. - * gcc-3.3.5 powerpc generates incorrect code at -02. - * Irix, MipsPRO 7.4.1m is known to cause problems. + Building with gcc is not supported, unless gcc is the vendor's usual + compiler (e.g. the various BSD systems, Linux). - A limited test suite can be run with "make test". Many of - the tests require you to configure a set of virtual IP addresses - on your system, and some require Perl; see bin/tests/system/README - for details. + Known compiler issues: + * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. + * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. + * gcc-3.3.5 powerpc generates incorrect code at -02. + * Irix, MipsPRO 7.4.1m is known to cause problems. - SunOS 4 requires "printf" to be installed to make the shared - libraries. sh-utils-1.16 provides a "printf" which compiles - on SunOS 4. + A limited test suite can be run with "make test". Many of + the tests require you to configure a set of virtual IP addresses + on your system, and some require Perl; see bin/tests/system/README + for details. + + SunOS 4 requires "printf" to be installed to make the shared + libraries. sh-utils-1.16 provides a "printf" which compiles + on SunOS 4. Known limitations - Linux requires kernel build 2.6.39 or later to get the - performance benefits from using multiple sockets. + Linux requires kernel build 2.6.39 or later to get the + performance benefits from using multiple sockets. Documentation - The BIND 9 Administrator Reference Manual is included with the - source distribution in DocBook XML and HTML format, in the - doc/arm directory. + The BIND 9 Administrator Reference Manual is included with the + source distribution in DocBook XML and HTML format, in the + doc/arm directory. - Some of the programs in the BIND 9 distribution have man pages - in their directories. In particular, the command line - options of "named" are documented in /bin/named/named.8. - There is now also a set of man pages for the lwres library. + Some of the programs in the BIND 9 distribution have man pages + in their directories. In particular, the command line + options of "named" are documented in /bin/named/named.8. + There is now also a set of man pages for the lwres library. - If you are upgrading from BIND 8, please read the migration - notes in doc/misc/migration. If you are upgrading from - BIND 4, read doc/misc/migration-4to9. + If you are upgrading from BIND 8, please read the migration + notes in doc/misc/migration. If you are upgrading from + BIND 4, read doc/misc/migration-4to9. - Frequently asked questions and their answers can be found in - FAQ. + Frequently asked questions and their answers can be found in + FAQ. Additional information on various subjects can be found in the other README files. @@ -331,64 +340,64 @@ Documentation Change Log - A detailed list of all changes to BIND 9 is included in the - file CHANGES, with the most recent changes listed first. - Change notes include tags indicating the category of the - change that was made; these categories are: + A detailed list of all changes to BIND 9 is included in the + file CHANGES, with the most recent changes listed first. + Change notes include tags indicating the category of the + change that was made; these categories are: - [func] New feature + [func] New feature - [bug] General bug fix + [bug] General bug fix - [security] Fix for a significant security flaw + [security] Fix for a significant security flaw - [experimental] Used for new features when the syntax - or other aspects of the design are still - in flux and may change + [experimental] Used for new features when the syntax + or other aspects of the design are still + in flux and may change - [port] Portability enhancement + [port] Portability enhancement - [maint] Updates to built-in data such as root - server addresses and keys + [maint] Updates to built-in data such as root + server addresses and keys - [tuning] Changes to built-in configuration defaults - and constants to improve performanceo + [tuning] Changes to built-in configuration defaults + and constants to improve performanceo - [protocol] Updates to the DNS protocol such as new - RR types + [protocol] Updates to the DNS protocol such as new + RR types [test] Changes to the automatic tests, not affecting server functionality [cleanup] Minor corrections and refactoring - [doc] Documentation + [doc] Documentation - In general, [func] and [experimental] tags will only appear - in new-feature releases (i.e., those with version numbers - ending in zero). Some new functionality may be backported to - older releases on a case-by-case basis. All other change - types may be applied to all currently-supported releases. + In general, [func] and [experimental] tags will only appear + in new-feature releases (i.e., those with version numbers + ending in zero). Some new functionality may be backported to + older releases on a case-by-case basis. All other change + types may be applied to all currently-supported releases. Bug Reports and Mailing Lists - Bugs reports should be sent to + Bugs reports should be sent to - bind9-bugs@isc.org + bind9-bugs@isc.org - To join the BIND Users mailing list, send mail to + To join the BIND Users mailing list, send mail to - bind-users-request@isc.org + bind-users-request@isc.org - archives of which can be found via + archives of which can be found via - http://www.isc.org/ops/lists/ + http://www.isc.org/ops/lists/ - If you're planning on making changes to the BIND 9 source - code, you might want to join the BIND Workers mailing list. - Send mail to + If you're planning on making changes to the BIND 9 source + code, you might want to join the BIND Workers mailing list. + Send mail to - bind-workers-request@isc.org + bind-workers-request@isc.org