upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 13:39:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

regen master

Browse source
This commit is contained in:
Tinderbox User 2017-04-23 01:06:11 +00:00
parent 1f6505a424
commit f5fa655319
20 changed files with 2822 additions and 2892 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

525
HISTORY
View file

@ -1,525 +0,0 @@
Functional enhancements from prior major releases of BIND 9
BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
* Added support for Catalog Zones, a new method for provisioning
servers: a list of zones to be served is stored in a DNS zone, along
with their configuration parameters. Changes to the catalog zone are
propagated to slaves via normal AXFR/IXFR, whereupon the zones that
are listed in it are automatically added, deleted or reconfigured.
* Added support for "dnstap", a fast and flexible method of capturing
and logging DNS traffic.
* Added support for "dyndb", a new API for loading zone data from an
external database, developed by Red Hat for the FreeIPA project.
* "fetchlimit" quotas are now compiled in by default. These are for the
use of recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically adjusted
downward if the server is partially or completely non-responsive.
The algorithm used to adjust the quota can be configured via the
"fetch-quota-params" option.
+ "fetches-per-zone" limits the number of simultaneous queries that
can be sent for names within a single domain. (Note: Unlike
"fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count queries spilled due to
these quotas.
* Added a new "dnssec-keymgr" key mainenance utility, which can generate
or update keys as needed to ensure that a zone's keys match a defined
DNSSEC policy.
* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
and is no longer optional. EDNS COOKIE is a mechanism enabling clients
to detect off-path spoofed responses, and servers to detect
spoofed-source queries. Clients that identify themselves using COOKIE
options are not subject to response rate limiting (RRL) and can
receive larger UDP responses.
* SERVFAIL responses can now be cached for a limited time (defaulting to
1 second, with an upper limit of 30). This can reduce the frequency of
retries when a query is persistently failing.
* Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
be skipped if a name server IP address isn't in the cache yet; the
address will be looked up and the rule will be applied on future
queries.
* Added a Python RNDC module. This allows multiple commands to sent over
a persistent RNDC channel, which saves time.
* The "controls" block in named.conf can now grant read-only "rndc"
access to specified clients or keys. Read-only clients could, for
example, check "rndc status" but could not reconfigure or shut down
the server.
* "rndc" commands can now return arbitrarily large amounts of text to
the caller.
* The zone serial number of a dynamically updatable zone can now be set
via "rndc signing -serial ". This allows inline-signing zones to be
set to a specific serial number.
* The new "rndc nta" command can be used to set a Negative Trust Anchor
(NTA), disabling DNSSEC validation for a specific domain; this can be
used when responses from a domain are known to be failing validation
due to administrative error rather than because of a spoofing attack.
Negative trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
* "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
* "rndc modzone" reconfigures a single zone, without requiring the
entire server to be reconfigured.
* "rndc showzone" displays the current configuration of a zone.
* "rndc managed-keys" can be used to check the status of RFC 5001
managed trust anchors, or to force trust anchors to be refreshed.
* "max-cache-size" can now be set to a percentage of available memory.
The default is 90%.
* Update forwarding performance has been improved by allowing a single
TCP connection to be shared by multiple updates.
* The EDNS Client Subnet (ECS) option is now supported for authoritative
servers; if a query contains an ECS option then ACLs containing
"geoip" or "ecs" elements can match against the the address encoded in
the option. This can be used to select a view for a query, so that
different answers can be provided depending on the client network.
* The EDNS EXPIRE option has been implemented on the client side,
allowing a slave server to set the expiration timer correctly when
transferring zone data from another slave server.
* The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
"-Psync" and "-Dsync" options to set the publication and deletion
times of CDS and CDNSKEY parent-synchronization records. Both named
and dnssec-signzone can now publish and remove these records at the
scheduled times.
* A new "minimal-any" option reduces the size of UDP responses for query
type ANY by returning a single arbitrarily selected RRset instead of
all RRsets.
* A new "masterfile-style" zone option controls the formatting of text
zone files: When set to "full", a zone file is dumped in
single-line-per-record format.
* "serial-update-method" can now be set to "date". On update, the serial
number will be set to the current date in YYYYMMDDNN format.
* "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
* "named -L " causes named to send log messages to the specified file by
default instead of to the system log.
* "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
s for weeks, days, hours, minutes, and seconds.
* "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
presentation format.
* "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
* "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
requests.
* "mdig" is an alternate version of dig which sends multiple pipelined
TCP queries to a server. Instead of waiting for a response after
sending a query, it sends all queries immediately and displays
responses in the order received.
* "serial-query-rate" no longer controls NOTIFY messages. These are
separately controlled by "notify-rate" and "startup-notify-rate".
* "nsupdate" now performs "check-names" processing by default on records
to be added. This can be disabled with "check-names no".
* The statistics channel now supports DEFLATE compression, reducing the
size of the data sent over the network when querying statistics.
* New counters have been added to the statistics channel to track the
sizes of incoming queries and outgoing responses in histogram buckets,
as specified in RSSAC002.
* A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
added, allowing redirection to a specified DNS namespace instead of a
single redirect zone.
* When starting up, named now ensures that no other named process is
already running.
* Files created by named to store information, including "mkeys" and
"nzf" files, are now named after their corresponding views unless the
view name contains characters incompatible with use as a filename. Old
style filenames (based on the hash of the view name) will still work.
BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
* DNS Response-rate limiting (DNS RRL), which blunts the impact of
reflection and amplification attacks, is always compiled in and no
longer requires a compile-time option to enable it.
* An experimental "Source Identity Token" (SIT) EDNS option is now
available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
these are designed to enable clients to detect off-path spoofed
responses, and to enable servers to detect spoofed-source queries.
Servers can be configured to send smaller responses to clients that
have not identified themselves using a SIT option, reducing the
effectiveness of amplification attacks. RRL processing has also been
updated; clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this feature in
BIND.
* A new zone file format, "map", stores zone data in a format that can
be mapped directly into memory, allowing significantly faster zone
loading.
* "delv" (domain entity lookup and validation) is a new tool with
dig-like semantics for looking up DNS data and performing internal
DNSSEC validation. This allows easy validation in environments where
the resolver may not be trustworthy, and assists with troubleshooting
of DNSSEC problems. (NOTE: In previous development releases of BIND
9.10, this utility was called "delve". The spelling has been changed
to avoid confusion with the "delve" utility included with the Xapian
search engine.)
* Improved EDNS(0) processing for better resolver performance and
reliability over slow or lossy connections.
* A new "configure --with-tuning=large" option tunes certain compiled-in
constants and default settings to values better suited to large
servers with abundant memory. This can improve performance on such
servers, but will consume more memory and may degrade performance on
smaller systems.
* Substantial improvement in response-policy zone (RPZ) performance. Up
to 32 response-policy zones can be configured with minimal performance
loss.
* To improve recursive resolver performance, cache records which are
still being requested by clients can now be automatically refreshed
from the authoritative server before they expire, reducing or
eliminating the time window in which no answer is available in the
cache.
* New "rpz-client-ip" triggers and drop policies allowing response
policies based on the IP address of the client.
* ACLs can now be specified based on geographic location using the
MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
* Zone data can now be shared between views, allowing multiple views to
serve the same zones authoritatively without storing multiple copies
in memory.
* New XML schema (version 3) for the statistics channel includes many
new statistics and uses a flattened XML tree for faster parsing. The
older schema is now deprecated.
* A new stylesheet, based on the Google Charts API, displays XML
statistics in charts and graphs on javascript-enabled browsers.
* The statistics channel can now provide data in JSON format as well as
XML.
* New stats counters track TCP and UDP queries received per zone, and
EDNS options received in total.
* The internal and export versions of the BIND libraries (libisc,
libdns, etc) have been unified so that external library clients can
use the same libraries as BIND itself.
* A new compile-time option, "configure --enable-native-pkcs11", allows
BIND 9 cryptography functions to use the PKCS#11 API natively, so that
BIND can drive a cryptographic hardware service module (HSM) directly
instead of using a modified OpenSSL as an intermediary. (Note: This
feature requires an HSM to have a full implementation of the PKCS#11
API; many current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness. Native
PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
version 2 from the Open DNSSEC project.)
* The new "max-zone-ttl" option enforces maximum TTLs for zones. This
can simplify the process of rolling DNSSEC keys by guaranteeing that
cached signatures will have expired within the specified amount of
time.
* "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
* "dig +expire" sends an EDNS EXPIRE option when querying. When this
option is sent with an SOA query to a server that supports it, it will
report the expiry time of a slave zone.
* New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
report if a lapse in signing coverage has been inadvertently
scheduled.
* Signing algorithm flexibility and other improvements for the "rndc"
control channel.
* "named-checkzone" and "named-compilezone" can now read journal files,
allowing them to process dynamic zones.
* Multiple DLZ databases can now be configured. Individual zones can be
configured to be served from a specific DLZ database. DLZ databases
now serve zones of type "master" and "redirect".
* "rndc zonestatus" reports information about a specified zone.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* "named" now preserves the capitalization of names when responding to
queries: for instance, a query for "example.com" may be answered with
"example.COM" if the name was configured that way in the zone file.
Some clients have a bug causing them to depend on the older behavior,
in which the case of the answer always matched the case of the query,
rather than the case of the name configured in the DNS. Such clients
can now be specified in the new "no-case-compress" ACL; this will
restore the older behavior of "named" for those clients only.
* new "dnssec-importkey" command allows the use of offline DNSSEC keys
with automatic DNSKEY management.
* New "named-rrchecker" tool to verify the syntactic correctness of
individual resource records.
* When re-signing a zone, the new "dnssec-signzone -Q" option drops
signatures from keys that are still published but are no longer
active.
* "named-checkconf -px" will print the contents of configuration files
with the shared secrets obscured, making it easier to share
configuration (e.g. when submitting a bug report) without revealing
private information.
* "rndc scan" causes named to re-scan network interfaces for changes in
local addresses.
* On operating systems with support for routing sockets, network
interfaces are re-scanned automatically whenever they change.
* "tsig-keygen" is now available as an alternate command name to use for
"ddns-confgen".
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
* Inline signing, allowing automatic DNSSEC signing of master zones
without modification of the zonefile, or "bump in the wire" signing in
slaves.
* NXDOMAIN redirection.
* New 'rndc flushtree' command clears all data under a given name from
the DNS cache.
* New 'rndc sync' command dumps pending changes in a dynamic zone to
disk without a freeze/thaw cycle.
* New 'rndc signing' command displays or clears signing status records
in 'auto-dnssec' zones.
* NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
signing, eliminating the need to initially sign with NSEC.
* Startup time improvements on large authoritative servers.
* Slave zones are now saved in raw format by default.
* Several improvements to response policy zones (RPZ).
* Improved hardware scalability by using multiple threads to listen for
queries and using finer-grained client locking
* The 'also-notify' option now takes the same syntax as 'masters', so it
can used named masterlists and TSIG keys.
* 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
* 'dnssec-signzone -R' forces removal of signatures that are not expired
but were created by a key which no longer exists.
* 'dnssec-signzone -X' allows a separate expiration date to be specified
for DNSKEY signatures from other signatures.
* New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
* dnssec-dsfromkey now supports reading from standard input, to make it
easier to convert DNSKEY to DS.
* RFC 1918 reverse zones have been added to the empty-zones table per
RFC 6303.
* Dynamic updates can now optionally set the zone's SOA serial number to
the current UNIX time.
* DLZ modules can now retrieve the source IP address of the querying
client.
* 'request-ixfr' option can now be set at the per-zone level.
* 'dig +rrcomments' turns on comments about DNSKEY records, indicating
their key ID, algorithm and function
* Simplified nsupdate syntax and added readline support
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
* Built-in trust anchor for the root zone, which can be switched on via
"dnssec-validation auto;"
* Support for DNS64.
* Support for response policy zones (RPZ).
* Support for writable DLZ zones.
* Improved ease of configuration of GSS/TSIG for interoperability with
Active Directory
* Support for GOST signing algorithm for DNSSEC.
* Removed RTT Banding from server selection algorithm.
* New "static-stub" zone type.
* Allow configuration of resolver timeouts via "resolver-query-timeout"
option.
* The DLZ "dlopen" driver is now built by default.
* Added a new include file with function typedefs for the DLZ "dlopen"
driver.
* Made "--with-gssapi" default.
* More verbose error reporting from DLZ LDAP.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration. New features
include:
* Fully automatic signing of zones by "named".
* Simplified configuration of DNSSEC Lookaside Validation (DLV).
* Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
* New named option "attach-cache" that allows multiple views to share a
single cache.
* DNS rebinding attack prevention.
* New default values for dnssec-keygen parameters.
* Support for RFC 5011 automated trust anchor maintenance
* Smart signing: simplified tools for zone signing and key maintenance.
* The "statistics-channels" option is now available on Windows.
* A new DNSSEC-aware libdns API for use by non-BIND9 applications
* On some platforms, named and other binaries can now print out a stack
backtrace on assertion failure, to aid in debugging.
* A "tools only" installation mode on Windows, which only installs dig,
host, nslookup and nsupdate.
* Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
BIND 9.6.0
* Full NSEC3 support
* Automatic zone re-signing
* New update-policy methods tcp-self and 6to4-self
* The BIND 8 resolver library, libbind, has been removed from the BIND 9
distribution and is now available as a separate download.
* Change the default pid file location from /var/run to /var/run/
{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
* GSS-TSIG support (RFC 3645).
* DHCID support.
* Experimental http server and statistics support for named via xml.
* More detailed statistics counters including those supported in BIND 8.
* Faster ACL processing.
* Use Doxygen to generate internal documentation.
* Efficient LRU cache-cleaning mechanism.
* NSID support.
BIND 9.4.0
* Implemented "additional section caching (or acache)", an internal
cache framework for additional section content to improve response
performance. Several configuration options were provided to control
the behavior.
* New notify type 'master-only'. Enable notify for master zones only.
* Accept 'notify-source' style syntax for query-source.
* rndc now allows addresses to be set in the server clauses.
* New option "allow-query-cache". This lets "allow-query" be used to
specify the default zone access level rather than having to have every
zone override the global value. "allow-query-cache" can be set at both
the options and view levels. If "allow-query-cache" is not set then
"allow-recursion" is used if set, otherwise "allow-query" is used if
set unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
* rndc: the source address can now be specified.
* ixfr-from-differences now takes master and slave in addition to yes
and no at the options and view levels.
* Allow the journal's name to be changed via named.conf.
* 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
specified zone.
* 'dig +trace' now randomly selects the next servers to try. Report if
there is a bad delegation.
* Improve check-names error messages.
* Make public the function to read a key file, dst_key_read_public().
* dig now returns the byte count for axfr/ixfr.
* allow-update is now settable at the options / view level.
* named-checkconf now checks the logging configuration.
* host now can turn on memory debugging flags with '-m'.
* Don't send notify messages to self.
* Perform sanity checks on NS records which refer to 'in zone' names.
* New zone option "notify-delay". Specify a minimum delay between sets
of NOTIFY messages.
* Extend adjusting TTL warning messages.
* Named and named-checkzone can now both check for non-terminal wildcard
records.
* "rndc freeze/thaw" now freezes/thaws all zones.
* named-checkconf now check acls to verify that they only refer to
existing acls.
* The server syntax has been extended to support a range of servers.
* Report differences between hints and real NS rrset and associated
address records.
* Preserve the case of domain names in rdata during zone transfers.
* Restructured the data locking framework using architecture dependent
atomic operations (when available), improving response performance on
multi-processor machines significantly. x86, x86_64, alpha, powerpc,
and mips are currently supported.
* UNIX domain controls are now supported.
* Add support for additional zone file formats for improving loading
performance. The masterfile-format option in named.conf can be used to
specify a non-default format. A separate command named-compilezone was
provided to generate zone files in the new format. Additionally, the
-I and -O options for dnssec-signzone specify the input and output
formats.
* dnssec-signzone can now randomize signature end times (dnssec-signzone
-j jitter).
* Add support for CH A record.
* Add additional zone data constancy checks. named-checkzone has
extended checking of NS, MX and SRV record and the hosts they
reference. named has extended post zone load checks. New zone options:
check-mx and integrity-check.
* edns-udp-size can now be overridden on a per server basis.
* dig can now specify the EDNS version when making a query.
* Added framework for handling multiple EDNS versions.
* Additional memory debugging support to track size and mctx arguments.
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a basis as some servers only appear to
be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query () to resolve. New options clients-per-query and
max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.
* Raise the UDP recieve buffer size to 32k if it is less than 32k.
* x86 and x86_64 now have seperate atomic locking implementations.
* named-checkconf now validates update-policy entries.
* Attempt to make the amount of work performed in a iteration self
tuning. The covers nodes clean from the cache per iteration, nodes
written to disk when rewriting a master file and nodes destroyed per
iteration when destroying a zone or a cache.
* ISC string copy API.
* Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
1918 zones are not yet covered by this but are likely to be in a
future release.
* New options: empty-server, empty-contact, empty-zones-enable and
disable-empty-zone.
* dig now has a '-q queryname' and '+showsearch' options.
* host/nslookup now continue (default)/fail on SERVFAIL.
* dig now warns if 'RA' is not set in the answer when 'RD' was set in
the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
is set unless a server is explicitly set.
* Integrate contibuted DLZ code into named.
* Integrate contibuted IDN code from JPNIC.
* libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
* DNSSEC is now DS based (RFC 3658).
* DNSSEC lookaside validation.
* check-names is now implemented.
* rrset-order is more complete.
* IPv4/IPv6 transition support, dual-stack-servers.
* IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
* It is now possible to specify the size of a journal, max-journal-size.
* It is now possible to define a named set of master servers to be used
in masters clause, masters.
* The advertised EDNS UDP size can now be set, edns-udp-size.
* allow-v6-synthesis has been obsoleted.
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
NOTIMPL. This will have impact on scripts that are looking for
NOTIMPL.
* libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
* The size of the cache can now be limited using the "max-cache-size"
option.
* The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the new
option "allow-v6-synthesis". This allows stub resolvers that support
AAAA records but not A6 record chains or binary labels to perform
lookups in domains that make use of these IPv6 DNS features.
* Performance has been improved.
* The man pages now use the more portable "man" macros rather than the
"mandoc" macros, and are installed by "make install".
* The named.conf parser has been completely rewritten. It now supports
"include" directives in more places such as inside "view" statements,
and it no longer has any reserved words.
* The "rndc status" command is now implemented.
* rndc can now be configured automatically.
* A BIND 8 compatible stub resolver library is now included in lib/bind.
* OpenSSL has been removed from the distribution. This means that to use
DNSSEC, OpenSSL must be installed and the --with-openssl option must
be supplied to configure. This does not apply to the use of TSIG,
which does not require OpenSSL.
* The source distribution now builds on Windows. See win32utils/
readme1.txt and win32utils/win32-build.txt for details.
* This distribution also includes a new lightweight stub resolver
library and associated resolver daemon that fully support forward and
reverse lookups of both IPv4 and IPv6 addresses. This library is
considered experimental and is not a complete replacement for the BIND
8 resolver library. Applications that use the BIND 8 res_* functions
to perform DNS lookups or dynamic updates still need to be linked
against the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
* BIND 9.2 is capable of acting as an authoritative server for DNSSEC
secured zones. This functionality is believed to be stable and
complete except for lacking support for verifications involving
wildcard records in secure zones.
* When acting as a caching server, BIND 9.2 can be configured to perform
DNSSEC secure resolution on behalf of its clients. This part of the
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.

25
OPTIONS
View file

@ -1,25 +0,0 @@
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Don't ovewrite memory when allocating or freeing
-DISC_MEM_FILL=0 it; this improves performance but makes
debugging more difficult.
Don't track memory allocations by file and line
-DISC_MEM_TRACKLINES=0 number; this improves performance but makes
debugging more difficult.
-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
well-known ports:
-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
-DCHECK_LOCAL=0 Don't check out-of-zone addresses in
named-checkzone
-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
rather than ${localstatedir}/run/{named,lwresd}/
Enable DNSSEC signature chasing support in dig.
-DDIG_SIGCHASE=1 (Note: This feature is deprecated. Use delv
instead.)

328
README
View file

@ -1,328 +0,0 @@
BIND 9
Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.12 features
5. Building BIND
6. Compile-time options
7. Automated testing
8. Documentation
9. Change log
10. Acknowledgments
Introduction
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the DNS (Domain Name System) protocol.
The BIND name server, named, is able to serve as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the dig and delv DNS lookup tools,
nsupdate for dynamic DNS zone updates, rndc for remote name server
administration, and more.
BIND 9 is a complete re-write of the BIND architecture that was used in
versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
(c)(3) public benefit corporation dedicated to providing software and
services in support of the Internet infrastructure, developed BIND 9 and
is responsible for its ongoing maintenance and improvement. BIND is open
source software licenced under the terms of the Mozilla Public License,
version 2.0.
For a summary of features introduced in past major releases of BIND, see
the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
For up-to-date release notes and errata, see http://www.isc.org/software/
bind9/releasenotes
Reporting bugs and getting help
Please report assertion failure errors and suspected security issues to
security-officer@isc.org.
General bug reports can be sent to bind9-bugs@isc.org.
Feature requests can be sent to bind-suggest@isc.org.
Please note that, while ISC's ticketing system is not currently publicly
readable, this may change in the future. Please do not include information
in bug reports that you consider to be confidential. For example, when
sending the contents of your configuration file, it is advisable to
obscure key secrets; this can be done automatically by using
named-checkconf -px.
Professional support and training for BIND are available from ISC at
https://www.isc.org/support.
To join the BIND Users mailing list, or view the archives, visit https://
lists.isc.org/mailman/listinfo/bind-users.
If you're planning on making changes to the BIND 9 source code, you may
also want to join the BIND Workers mailing list, at https://lists.isc.org/
mailman/listinfo/bind-workers.
Contributing to BIND
A public git repository for BIND is maintained at http://www.isc.org/git/,
and also on Github at https://github.com/isc-projects.
Information for BIND contributors can be found in the following files: -
General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
style.md - BIND architecture and developer guide: doc/dev/dev.md
Patches for BIND may be submitted either as Github pull requests or via
email. When submitting a patch via email, please prepend the subject
header with "[PATCH]" so it will be easier for us to find. If your patch
introduces a new feature in BIND, please submit it to bind-suggest@isc.org
; if it fixes a bug, please submit it to bind9-bugs@isc.org.
BIND 9.12 features
BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features
include:
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
* named-checkconf -l lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
support, and a 64-bit integer type. Successful builds have been observed
on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
HP-UX, AIX, SCO OpenServer, and OpenWRT.
BIND is also available for Windows XP, 2003, 2008, and higher. See
win32utils/readme1st.txt for details on building for Windows systems.
To build on a UNIX or Linux system, use:
$ ./configure
$ make
(NOTE: Using multiple processors in make is not reliable and is not
advised.)
If you're planning on making changes to the BIND 9 source, you should run
make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation:
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
CFLAGS supported by the compiler. Please include '-g' if you need
to set CFLAGS.
System header file directories. Can be used to specify
STD_CINCLUDES where add-on thread or IPv6 support is, for example.
Defaults to empty string.
Any additional preprocessor symbols you want defined.
STD_CDEFINES Defaults to empty string. For a list of possible settings,
see the file OPTIONS.
LDFLAGS Linker flags. Defaults to empty string.
BUILD_CC Needed when cross-compiling: the native C compiler to use
when building for the target system.
BUILD_CFLAGS Optional, used for cross-compiling
BUILD_CPPFLAGS
BUILD_LDFLAGS
BUILD_LIBS
Compile-time options
To see a full list of configuration options, run configure --help.
On most platforms, BIND 9 is built with multithreading support, allowing
it to take advantage of multiple CPUs. You can configure this by
specifying --enable-threads or --disable-threads on the configure command
line. The default is to enable threads, except on some older operating
systems on which threads are known to have had problems in the past.
(Note: Prior to BIND 9.10, the default was to disable threads on Linux
systems; this has now been reversed. On Linux systems, the threaded build
is known to change BIND's behavior with respect to file permissions; it
may be necessary to specify a user with the -u option when running named.)
To build shared libraries, specify --with-libtool on the configure command
line.
Certain compiled-in constants and default settings can be increased to
values better suited to large servers with abundant memory resources (e.g,
64-bit servers with 12G or more of memory) by specifying --with-tuning=
large on the configure command line. This can improve performance on big
servers, but will consume more memory and may degrade performance on
smaller systems.
For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location,
specify the prefix using "--with-openssl=/prefix" on the configure command
line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using
"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location,
specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using --with-zlib=/prefix.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in
a nonstandard location, specify the prefix using "with-lmdb=/prefix".
To support GeoIP location-based ACLs, the server must be linked with
libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix".
For DNSTAP packet logging, you must have libfstrm https://github.com/
farsightsec/fstrm and libprotobuf-c https://developers.google.com/
protocol-buffers, and BIND must be configured with "--enable-dnstap".
Python requires the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
available from https://pypi.python.org/pypi/ply.
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
--enable-largefile on the configure command line.
Support for the "fixed" rrset-order option can be enabled or disabled by
specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
command line. By default, fixed rrset-order is disabled to reduce memory
footprint.
If your operating system has integrated support for IPv6, it will be used
automatically. If you have installed KAME IPv6 separately, use --with-kame
[=PATH] to specify its location.
make install will install named and the various BIND 9 libraries. By
default, installation is into /usr/local, but this can be changed with the
--prefix option when running configure.
You may specify the option --sysconfdir to set the directory where
configuration files like named.conf go by default, and --localstatedir to
set the default parent directory of run/named.pid. For backwards
compatibility with BIND 8, --sysconfdir defaults to /etc and
--localstatedir defaults to /var if no --prefix option is given. If there
is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
defaults to $prefix/var.
Automated testing
A system test suite can be run with make test. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by by running the script bin/tests/system/
ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
and will be skipped if these are not available. Some tests require Python
and the 'dnspython' module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using Automated Testing Framework (ATF). To run
them, use configure --with-atf, then run make test or make unit.
Documentation
The BIND 9 Administrator Reference Manual is included with the source
distribution, in DocBook XML, HTML and PDF format, in the doc/arm
directory.
Some of the programs in the BIND 9 distribution have man pages in their
directories. In particular, the command line options of named are
documented in bin/named/named.8.
Frequently (and not-so-frequently) asked questions and their answers can
be found in the ISC Knowledge Base at https://kb.isc.org.
Additional information on various subjects can be found in other README
files throughout the source tree.
Change log
A detailed list of all changes that have been made throughout the
development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax or other aspects of
the design are still in flux and may change
[port] Portability enhancement
[maint] Updates to built-in data such as root server addresses and
keys
[tuning] Changes to built-in configuration defaults and constants to
improve performance
[performance] Other changes to improve server performance
[protocol] Updates to the DNS protocol such as new RR types
[test] Changes to the automatic tests, not affecting server
functionality
[cleanup] Minor corrections and refactoring
[doc] Documentation
[contrib] Changes to the contributed tools and libraries in the
'contrib' subdirectory
Used in the master development branch to reserve change
[placeholder] numbers for use in other branches, e.g. when fixing a bug
that only exists in older releases
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)

2
bin/dnssec/dnssec-keygen.8
View file

@ -69,7 +69,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 512 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
\fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the

2
bin/dnssec/dnssec-keygen.html
View file

@ -123,7 +123,7 @@
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need

1359
bin/named/named.conf.5
View file

File diff suppressed because it is too large Load diff

1379
bin/named/named.conf.html
View file

File diff suppressed because it is too large Load diff

2
bin/rndc/rndc.8
View file

@ -214,7 +214,7 @@ causes the output file to be rolled automatically, similar to log files; the mos
is specified, then the number of backup log files is limited to that number\&.
.RE
.PP
\fBdumpdb \fR\fB[\-all|\-cache|\-zone|\-adb|\-bad|\-fail]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
\fBdumpdb \fR\fB[\-all|\-cache|\-zones|\-adb|\-bad|\-fail]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the server\*(Aqs caches (default) and/or zones to the dump file for the specified views\&. If no view is specified, all views are dumped\&. (See the
\fBdump\-file\fR

8
bin/rndc/rndc.html
View file

@ -274,14 +274,12 @@
number of backup log files is limited to that number.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd>
<p>
Dump the server's caches (default) and/or zones to
the
dump file for the specified views. If no view is
specified, all
views are dumped.
the dump file for the specified views. If no view
is specified, all views are dumped.
(See the <span class="command"><strong>dump-file</strong></span> option in
the BIND 9 Administrator Reference Manual.)
</p>

11
bin/tools/dnstap-read.1
View file

@ -39,7 +39,7 @@
dnstap-read \- print dnstap data in human\-readable form
.SH "SYNOPSIS"
.HP \w'\fBdnstap\-read\fR\ 'u
\fBdnstap\-read\fR [\fB\-m\fR] [\fB\-p\fR] [\fB\-y\fR] {\fIfile\fR}
\fBdnstap\-read\fR [\fB\-m\fR] [\fB\-p\fR] [\fB\-x\fR] [\fB\-y\fR] {\fIfile\fR}
.SH "DESCRIPTION"
.PP
\fBdnstap\-read\fR
@ -66,6 +66,15 @@ data, print the text form of the DNS message that was encapsulated in the
frame\&.
.RE
.PP
\-x
.RS 4
After printing the
\fBdnstap\fR
data, print a hex dump of the wire form of the DNS message that was encapsulated in the
\fBdnstap\fR
frame\&.
.RE
.PP
\-y
.RS 4
Print

9
bin/tools/dnstap-read.html
View file

@ -35,6 +35,7 @@
<code class="command">dnstap-read</code>
[<code class="option">-m</code>]
[<code class="option">-p</code>]
[<code class="option">-x</code>]
[<code class="option">-y</code>]
{<em class="replaceable"><code>file</code></em>}
</p></div>
@ -72,6 +73,14 @@
<span class="command"><strong>dnstap</strong></span> frame.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
After printing the <span class="command"><strong>dnstap</strong></span> data, print
a hex dump of the wire form of the DNS message that was
encapsulated in the <span class="command"><strong>dnstap</strong></span> frame.
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd>
<p>

14
configure vendored
View file

@ -956,7 +956,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
@ -1112,7 +1111,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1365,15 +1363,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1511,7 +1500,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@ -1664,7 +1653,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]

5
doc/arm/Bv9ARM.ch02.html
View file

@ -83,11 +83,6 @@
option can be used to limit the amount of memory used by the cache,
at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
traffic.
Additionally, if additional section caching
(<a class="xref" href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
the <span class="command"><strong>max-acache-size</strong></span> option can be used to
limit the amount
of memory used by the mechanism.
It is still good practice to have enough memory to load
all zone and cache data into memory &#8212; unfortunately, the best
way

249
doc/arm/Bv9ARM.ch06.html
View file

@ -2644,8 +2644,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>duration</code></em> ; ]
[ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ; ]
[ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ; ]
[ <span class="command"><strong>additional-from-auth</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
[ <span class="command"><strong>additional-from-cache</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
[ <span class="command"><strong>random-device</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
[ <span class="command"><strong>max-cache-size</strong></span> <em class="replaceable"><code>size_or_percent</code></em> ; ]
[ <span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
@ -2671,9 +2669,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ <span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
[ <span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>algorithm</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
[ <span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>digest_type</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
[ <span class="command"><strong>acache-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
[ <span class="command"><strong>acache-cleaning-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
[ <span class="command"><strong>max-acache-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
[ <span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>number</code></em> ; ]
[ <span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>number</code></em> ; ]
[ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
@ -4197,7 +4192,7 @@ options {
both authoritative and recursive queries.
</p>
<p>
The default is <strong class="userinput"><code>no</code></strong>.
The default is <strong class="userinput"><code>yes</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>minimal-any</strong></span></span></dt>
@ -4527,92 +4522,6 @@ options {
and the option is ignored.
</p>
</dd>
<dt>
<span class="term"><span class="command"><strong>additional-from-auth</strong></span>, </span><span class="term"><span class="command"><strong>additional-from-cache</strong></span></span>
</dt>
<dd>
<p>
These options control the behavior of an authoritative
server when
answering queries which have additional data, or when
following CNAME
and DNAME chains.
</p>
<p>
When both of these options are set to <strong class="userinput"><code>yes</code></strong>
(the default) and a
query is being answered from authoritative data (a zone
configured into the server), the additional data section of
the
reply will be filled in using data from other authoritative
zones
and from the cache. In some situations this is undesirable,
such
as when there is concern over the correctness of the cache,
or
in servers where slave zones may be added and modified by
untrusted third parties. Also, avoiding
the search for this additional data will speed up server
operations
at the possible expense of additional queries to resolve
what would
otherwise be provided in the additional section.
</p>
<p>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
if known, even though they are not in the example.com zone.
Setting these options to <span class="command"><strong>no</strong></span>
disables this behavior and makes
the server only search for additional data in the zone it
answers from.
</p>
<p>
These options are intended for use in authoritative-only
servers, or in authoritative-only views. Attempts to set
them to <span class="command"><strong>no</strong></span> without also
specifying
<span class="command"><strong>recursion no</strong></span> will cause the
server to
ignore the options and log a warning message.
</p>
<p>
Specifying <span class="command"><strong>additional-from-cache no</strong></span> actually
disables the use of the cache not only for additional data
lookups
but also when looking up the answer. This is usually the
desired
behavior in an authoritative-only server where the
correctness of
the cached data is an issue.
</p>
<p>
When a name server is non-recursively queried for a name
that is not
below the apex of any served zone, it normally answers with
an
"upwards referral" to the root servers or the servers of
some other
known parent of the query name. Since the data in an
upwards referral
comes from the cache, the server will not be able to provide
upwards
referrals when <span class="command"><strong>additional-from-cache no</strong></span>
has been specified. Instead, it will respond to such
queries
with REFUSED. This should not cause any problems since
upwards referrals are not required for the resolution
process.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
<dd>
<p>
@ -6612,7 +6521,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<p>
The response to a DNS query may consist of multiple resource
records (RRs) forming a resource records set (RRset).
records (RRs) forming a resource record set (RRset).
The name server will normally return the
RRs within the RRset in an indeterminate order
(but see the <span class="command"><strong>rrset-order</strong></span>
@ -6728,17 +6637,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<p>
When multiple records are returned in an answer it may be
useful to configure the order of the records placed into the
response.
The <span class="command"><strong>rrset-order</strong></span> statement permits
configuration
of the ordering of the records in a multiple record response.
response. The <span class="command"><strong>rrset-order</strong></span> statement permits
configuration of the ordering of the records in a
multiple-record response.
See also the <span class="command"><strong>sortlist</strong></span> statement,
<a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
</p>
<p>
An <span class="command"><strong>order_spec</strong></span> is defined as
follows:
An <span class="command"><strong>order_spec</strong></span> is defined as follows:
</p>
<p>
[<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
@ -6768,7 +6674,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<td>
<p>
Records are returned in the order they
are defined in the zone file.
are defined in the zone file. This option
is only available if <acronym class="acronym">BIND</acronym>
is configured with "--enable-fixed-rrset" at
compile time.
</p>
</td>
</tr>
@ -6788,29 +6697,45 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</td>
<td>
<p>
Records are returned in a cyclic round-robin order.
Records are returned in a cyclic round-robin order,
rotating by one record per query.
</p>
<p>
If <acronym class="acronym">BIND</acronym> is configured with the
"--enable-fixed-rrset" option at compile time, then
If <acronym class="acronym">BIND</acronym> is configured with
"--enable-fixed-rrset" at compile time, then
the initial ordering of the RRset will match the
one specified in the zone file.
one specified in the zone file; otherwise the
initial ordering is indeterminate.
</p>
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>none</strong></span></p>
</td>
<td>
<p>
Records are returned in whatever order they were
retrieved from the database. This order is
indeterminate, but will be consistent as long as the
database is not modified. When no ordering is
specified, this is the default.
</p>
</td>
</tr>
</tbody>
</table>
</div>
<p>
</p>
<p>
For example:
</p>
<pre class="programlisting">rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
</pre>
<p>
will cause any responses for type A records in class IN that
have "<code class="literal">host.example.com</code>" as a
@ -6822,7 +6747,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
appear, they are not combined &#8212; the last one applies.
</p>
<p>
By default, all records are returned in random order.
By default, records are returned in indeterminate but
consistent order (see <span class="command"><strong>none</strong></span> above).
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
@ -7520,113 +7446,6 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="acache"></a>Additional Section Caching</h4></div></div></div>
<p>
The additional section cache, also called <span class="command"><strong>acache</strong></span>,
is an internal cache to improve the response performance of BIND 9.
When additional section caching is enabled, BIND 9 will
cache an internal short-cut to the additional section content for
each answer RR.
Note that <span class="command"><strong>acache</strong></span> is an internal caching
mechanism of BIND 9, and is not related to the DNS caching
server function.
</p>
<p>
Additional section caching does not change the
response content (except the RRsets ordering of the additional
section, see below), but can improve the response performance
significantly.
It is particularly effective when BIND 9 acts as an authoritative
server for a zone that has many delegations with many glue RRs.
</p>
<p>
In order to obtain the maximum performance improvement
from additional section caching, setting
<span class="command"><strong>additional-from-cache</strong></span>
to <span class="command"><strong>no</strong></span> is recommended, since the current
implementation of <span class="command"><strong>acache</strong></span>
does not short-cut of additional section information from the
DNS cache data.
</p>
<p>
One obvious disadvantage of <span class="command"><strong>acache</strong></span> is
that it requires much more
memory for the internal cached data.
Thus, if the response performance does not matter and memory
consumption is much more critical, the
<span class="command"><strong>acache</strong></span> mechanism can be
disabled by setting <span class="command"><strong>acache-enable</strong></span> to
<span class="command"><strong>no</strong></span>.
It is also possible to specify the upper limit of memory
consumption
for acache by using <span class="command"><strong>max-acache-size</strong></span>.
</p>
<p>
Additional section caching also has a minor effect on the
RRset ordering in the additional section.
Without <span class="command"><strong>acache</strong></span>,
<span class="command"><strong>cyclic</strong></span> order is effective for the additional
section as well as the answer and authority sections.
However, additional section caching fixes the ordering when it
first caches an RRset for the additional section, and the same
ordering will be kept in succeeding responses, regardless of the
setting of <span class="command"><strong>rrset-order</strong></span>.
The effect of this should be minor, however, since an
RRset in the additional section
typically only contains a small number of RRs (and in many cases
it only contains a single RR), in which case the
ordering does not matter much.
</p>
<p>
The following is a summary of options related to
<span class="command"><strong>acache</strong></span>.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>acache-enable</strong></span></span></dt>
<dd>
<p>
If <span class="command"><strong>yes</strong></span>, additional section caching is
enabled. The default value is <span class="command"><strong>no</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>acache-cleaning-interval</strong></span></span></dt>
<dd>
<p>
The server will remove stale cache entries, based on an LRU
based
algorithm, every <span class="command"><strong>acache-cleaning-interval</strong></span> minutes.
The default is 60 minutes.
If set to 0, no periodic cleaning will occur.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>max-acache-size</strong></span></span></dt>
<dd>
<p>
The maximum amount of memory in bytes to use for the server's acache.
When the amount of data in the acache reaches this limit,
the server
will clean more aggressively so that the limit is not
exceeded.
In a server with multiple views, the limit applies
separately to the
acache of each view.
The default is <code class="literal">16M</code>.
</p>
</dd>
</dl></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="content_filtering"></a>Content Filtering</h4></div></div></div>
<p>

118
doc/arm/Bv9ARM.ch09.html
View file

@ -197,6 +197,58 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Many aspects of <span class="command"><strong>named</strong></span> have been modified
to improve query performance, and in particular, performance
for delegation-heavy zones:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
The additional cache ("acache") was found not to
significantly improve performance and has been removed;
the <span class="command"><strong>acache-enable</strong></span> and
<span class="command"><strong>acache-cleaning-interval</strong></span> options are now
deprecated.
</p>
</li>
<li class="listitem">
<p>
In place of the acache, <span class="command"><strong>named</strong></span> now uses
a glue cache to speed up retrieval of glue records when sending
delegation responses.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>additional-from-cache</strong></span>
and <span class="command"><strong>additional-from-auth</strong></span> options have been
deprecated.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>minimal-responses</strong></span> is now set
to <code class="literal">yes</code> by default.
</p>
</li>
<li class="listitem">
<p>
Several functions have been refactored to improve
performance, including name compression, owner name
case restoration, hashing, and buffers.
</p>
</li>
</ul></div>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
dump of the wire format DNS message encapsulated in each
<span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>host -A</strong></span> option returns most
@ -309,6 +361,16 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
names to assist debugging on operating systems that support that.
Threads will have names such as "isc-timer", "isc-sockmgr",
"isc-worker0001", and so on. This will affect the reporting of
subsidiary thread names in <span class="command"><strong>ps</strong></span> and
<span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
</p>
</li>
<li class="listitem">
<p>
The Response Policy Zone (RPZ) implementation has been
@ -355,61 +417,11 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
None.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could deadlock if multiple changes
to NSEC/NSEC3 parameters for the same zone were being processed
at the same time. [RT #42770]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could trigger an assertion when
sending NOTIFY messages. [RT #44019]
</p>
</li>
<li class="listitem">
<p>
Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
statement could cause an assertion failure during configuration.
[RT #43787]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc addzone</strong></span> could cause a crash
when attempting to add a zone with a type other than
<span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
Such zones are now rejected. [RT #43665]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could hang when encountering log
file names with large apparent gaps in version number (for
example, when files exist called "logfile.0", "logfile.1",
and "logfile.1482954169"). This is now handled correctly.
[RT #38688]
</p>
</li>
<li class="listitem">
<p>
If a zone was updated while <span class="command"><strong>named</strong></span> was
processing a query for nonexistent data, it could return
out-of-sync NSEC3 records causing potential DNSSEC validation
failure. [RT #43247]
</p>
</li>
</ul></div>
</li></ul></div>
</div>
<div class="section">

2
doc/arm/man.dnssec-keygen.html
View file

@ -141,7 +141,7 @@
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need

9
doc/arm/man.dnstap-read.html
View file

@ -53,6 +53,7 @@
<code class="command">dnstap-read</code>
[<code class="option">-m</code>]
[<code class="option">-p</code>]
[<code class="option">-x</code>]
[<code class="option">-y</code>]
{<em class="replaceable"><code>file</code></em>}
</p></div>
@ -90,6 +91,14 @@
<span class="command"><strong>dnstap</strong></span> frame.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
After printing the <span class="command"><strong>dnstap</strong></span> data, print
a hex dump of the wire form of the DNS message that was
encapsulated in the <span class="command"><strong>dnstap</strong></span> frame.
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd>
<p>

1379
doc/arm/man.named.conf.html
View file

File diff suppressed because it is too large Load diff

8
doc/arm/man.rndc.html
View file

@ -292,14 +292,12 @@
number of backup log files is limited to that number.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd>
<p>
Dump the server's caches (default) and/or zones to
the
dump file for the specified views. If no view is
specified, all
views are dumped.
the dump file for the specified views. If no view
is specified, all views are dumped.
(See the <span class="command"><strong>dump-file</strong></span> option in
the BIND 9 Administrator Reference Manual.)
</p>

280
doc/arm/notes.html
View file

@ -9,180 +9,224 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.12.0-pre-alpha</h2></div></div></div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
<p>
BIND 9.12.0 is a new feature release of BIND, still under development.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development
release leading up to the final BIND 9.12.0 release, this document
will be updated with additional features added and bugs fixed.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
<p>
The latest versions of BIND 9 software can always be found at
<a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License Change</h3></div></div></div>
<p>
<p>
With the release of BIND 9.11.0, ISC changed to the open
source license for BIND from the ISC license to the Mozilla
Public License (MPL 2.0).
</p>
<p>
<p>
The MPL-2.0 license requires that if you make changes to
licensed software (e.g. BIND) and distribute them outside
your organization, that you publish those changes under that
same license. It does not require that you publish or disclose
anything other than the changes you made to our software.
</p>
<p>
<p>
This new requirement will not affect anyone who is using BIND
without redistributing it, nor anyone redistributing it without
changes, therefore this change will be without consequence
for most individuals and organizations who are using BIND.
</p>
<p>
<p>
Those unsure whether or not the license change affects their
use of BIND, or who wish to discuss how to comply with the
license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
https://www.isc.org/mission/contact/</a>.
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
(CVE-2017-3138). [RT #44924]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed
in CVE-2017-3137. [RT #44734]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
can result in an assertion failure. This flaw is disclosed in
CVE-2017-3136. [RT #44653]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
If a server is configured with a response policy zone (RPZ)
that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read
triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
A coding error in the <code class="option">nxdomain-redirect</code>
feature could lead to an assertion failure if the redirection
namespace was served from a local authoritative data source
such as a local zone or a DLZ instead of via recursive
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could mishandle authority sections
with missing RRSIGs, triggering an assertion failure. This
flaw is disclosed in CVE-2016-9444. [RT #43632]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> mishandled some responses where
covering RRSIG records were returned without the requested
data, resulting in an assertion failure. This flaw is
disclosed in CVE-2016-9147. [RT #43548]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
records which could trigger an assertion failure when there was
a class mismatch. This flaw is disclosed in CVE-2016-9131.
[RT #43522]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
It was possible to trigger assertions when processing
responses containing answers of type DNAME. This flaw is
disclosed in CVE-2016-8864. [RT #43465]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Added the ability to specify the maximum number of records
permitted in a zone (<code class="option">max-records #;</code>).
This provides a mechanism to block overly large zone
transfers, which is a potential risk with slave zones from
other parties, as described in CVE-2016-6170.
[RT #42143]
</p></li>
</p>
</li>
</ul></div>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<p>
Many aspects of <span class="command"><strong>named</strong></span> have been modified
to improve query performance, and in particular, performance
for delegation-heavy zones:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
The additional cache ("acache") was found not to
significantly improve performance and has been removed;
the <span class="command"><strong>acache-enable</strong></span> and
<span class="command"><strong>acache-cleaning-interval</strong></span> options are now
deprecated.
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
In place of the acache, <span class="command"><strong>named</strong></span> now uses
a glue cache to speed up retrieval of glue records when sending
delegation responses.
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>additional-from-cache</strong></span>
and <span class="command"><strong>additional-from-auth</strong></span> options have been
deprecated.
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>minimal-responses</strong></span> is now set
to <code class="literal">yes</code> by default.
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Several functions have been refactored to improve
performance, including name compression, owner name
case restoration, hashing, and buffers.
</p></li>
</p>
</li>
</ul></div>
</li>
<li class="listitem"><p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
dump of the wire format DNS message encapsulated in each
<span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>host -A</strong></span> option returns most
records for a name, but omits types RRSIG, NSEC and NSEC3.
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Query logic has been substantially refactored (e.g. query_find
function has been split into smaller functions) for improved
readability, maintainability and testability. [RT #43929]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
automatically roll when they reach a specified size. If
<span class="command"><strong>dnstap-output</strong></span> is configured with mode
@ -192,8 +236,10 @@
(These have the same semantics as the corresponding
options in a <span class="command"><strong>logging</strong></span> channel statement.)
[RT #44502]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
now be configured with a <span class="command"><strong>suffix</strong></span> option,
set to either <code class="literal">increment</code> or
@ -203,26 +249,34 @@
<code class="filename">.1</code>, <code class="filename">.2</code>, etc)
or suffixes indicating the time of the roll. The default
is <code class="literal">increment</code>. [RT #42838]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
for EDNS options in addition to numeric values. For example,
an EDNS Client-Subnet option could be sent using
<span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
John Worley of Secure64 for the contribution. [RT #44461]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Added support for the EDNS TCP Keepalive option (RFC 7828);
this allows negotiation of longer-lived TCP sessions
to reduce the overhead of setting up TCP for individual
queries. [RT #42126]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Added support for the EDNS Padding option (RFC 7830),
which obfuscates packet size analysis when DNS queries
are sent over an encrypted channel. [RT #42094]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
The <code class="option">print-time</code> option in the
<code class="option">logging</code> configuration can now take arguments
<strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
@ -230,49 +284,58 @@
which the date and time should be logged. For backward
compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
<strong class="userinput"><code>local</code></strong>. [RT #42585]
</p></li>
</p>
</li>
<li class="listitem">
<p>
<p>
<span class="command"><strong>rndc</strong></span> commands which refer to zone names
can now reference a zone of type <span class="command"><strong>redirect</strong></span>
by using the special zone name "-redirect". (Previously this
was not possible because <span class="command"><strong>redirect</strong></span> zones
always have the name ".", which can be ambiguous.)
</p>
<p>
<p>
In the event you need to manipulate a zone actually
called "-redirect", use a trailing dot: "-redirect."
</p>
<p>
<p>
Note: This change does not appply to the
<span class="command"><strong>rndc addzone</strong></span> or
<span class="command"><strong>rndc modzone</strong></span> commands.
</p>
</li>
<li class="listitem"><p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
in <code class="filename">named.conf</code>. [RT #43154]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Query logging now includes the ECS option, if one was
present in the query, in the format
"[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
</p></li>
</p>
</li>
</ul></div>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
names to assist debugging on operating systems that support that.
Threads will have names such as "isc-timer", "isc-sockmgr",
"isc-worker0001", and so on. This will affect the reporting of
subsidiary thread names in <span class="command"><strong>ps</strong></span> and
<span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
The Response Policy Zone (RPZ) implementation has been
substantially refactored: updates to the RPZ summary
database are no longer directly performed by the zone
@ -282,8 +345,10 @@
Summary database updates can be rate-limited by using the
<span class="command"><strong>min-update-interval</strong></span> option in a
<span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnstap</strong></span> now stores both the local and remote
addresses for all messages, instead of only the remote address.
The default output format for <span class="command"><strong>dnstap-read</strong></span> has
@ -291,46 +356,57 @@
address first and the responding address second, separated by
"-%gt;" or "%lt;-" to indicate in which direction the message
was sent. [RT #43595]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
Expanded and improved the YAML output from
<span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
size and a detailed breakdown of message contents.
[RT #43622] [RT #43642]
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
If an ACL is specified with an address prefix in which the
prefix length is longer than the address portion (for example,
192.0.2.1/8), it will now be treated as a fatal error during
configuration. [RT #43367]
</p></li>
</p>
</li>
</ul></div>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
None.
</p></li></ul></div>
</div>
<div class="section">
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
<p>
The end of life for BIND 9.12 is yet to be determined but
will not be before BIND 9.14.0 has been released for 6 months.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
</p>
</div>
<div class="section">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
</p>
</div>
</div>
</div></div></body>
</div></body>
</html>