diff options
Diffstat (limited to 'contrib/bind9/README')
| -rw-r--r-- | contrib/bind9/README | 448 |
1 files changed, 89 insertions, 359 deletions
diff --git a/contrib/bind9/README b/contrib/bind9/README index 54d90fe1f22c..00010c3983f3 100644 --- a/contrib/bind9/README +++ b/contrib/bind9/README @@ -42,368 +42,95 @@ BIND 9 Stichting NLnet - NLnet Foundation Nominum, Inc. -BIND 9.6.3 - - BIND 9.6.3 is a maintenance release, fixing bugs in 9.6.2. - -BIND 9.6.2 - - BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1. - It also introduces support for the SHA-2 DNSSEC algorithms, - RSASHA256 and RSASHA512. - - Known issues in this release: - - - A validating resolver that has been incorrectly configured with - an invalid trust anchor will be unable to resolve names covered - by that trust anchor. In all current versions of BIND 9, such a - resolver will also generate significant unnecessary DNS traffic - while trying to validate. The latter problem will be addressed - in future BIND 9 releases. In the meantime, to avoid these - problems, exercise caution when configuring "trusted-keys": - make sure all keys are correct and current when you add them, - and update your configuration in a timely manner when keys - roll over. - -BIND 9.6.1 - - BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0. - -BIND 9.6.0 - - BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier - releases, including: - - Full NSEC3 support - - Automatic zone re-signing - - New update-policy methods tcp-self and 6to4-self - - The BIND 8 resolver library, libbind, has been removed from the - BIND 9 distribution and is now available as a separate download. - - Change the default pid file location from /var/run to - /var/run/{named,lwresd} for improved chroot/setuid support. - -BIND 9.5.0 - - BIND 9.5.0 has a number of new features over 9.4, - including: - - GSS-TSIG support (RFC 3645). - - DHCID support. - - Experimental http server and statistics support for named via xml. - - More detailed statistics counters including those supported in BIND 8. - - Faster ACL processing. - - Use Doxygen to generate internal documentation. - - Efficient LRU cache-cleaning mechanism. - - NSID support. - -BIND 9.4.0 - - BIND 9.4.0 has a number of new features over 9.3, - including: - - Implemented "additional section caching (or acache)", an - internal cache framework for additional section content to - improve response performance. Several configuration options - were provided to control the behavior. - - New notify type 'master-only'. Enable notify for master - zones only. - - Accept 'notify-source' style syntax for query-source. - - rndc now allows addresses to be set in the server clauses. - - New option "allow-query-cache". This lets "allow-query" - be used to specify the default zone access level rather - than having to have every zone override the global value. - "allow-query-cache" can be set at both the options and view - levels. If "allow-query-cache" is not set then "allow-recursion" - is used if set, otherwise "allow-query" is used if set - unless "recursion no;" is set in which case "none;" is used, - otherwise the default (localhost; localnets;) is used. - - rndc: the source address can now be specified. - - ixfr-from-differences now takes master and slave in addition - to yes and no at the options and view levels. - - Allow the journal's name to be changed via named.conf. - - 'rndc notify zone [class [view]]' resend the NOTIFY messages - for the specified zone. - - 'dig +trace' now randomly selects the next servers to try. - Report if there is a bad delegation. - - Improve check-names error messages. - - Make public the function to read a key file, dst_key_read_public(). - - dig now returns the byte count for axfr/ixfr. - - allow-update is now settable at the options / view level. - - named-checkconf now checks the logging configuration. - - host now can turn on memory debugging flags with '-m'. - - Don't send notify messages to self. - - Perform sanity checks on NS records which refer to 'in zone' names. - - New zone option "notify-delay". Specify a minimum delay - between sets of NOTIFY messages. - - Extend adjusting TTL warning messages. - - Named and named-checkzone can now both check for non-terminal - wildcard records. - - "rndc freeze/thaw" now freezes/thaws all zones. - - named-checkconf now check acls to verify that they only - refer to existing acls. - - The server syntax has been extended to support a range of - servers. - - Report differences between hints and real NS rrset and - associated address records. - - Preserve the case of domain names in rdata during zone - transfers. - - Restructured the data locking framework using architecture - dependent atomic operations (when available), improving - response performance on multi-processor machines significantly. - x86, x86_64, alpha, powerpc, and mips are currently supported. - - UNIX domain controls are now supported. - - Add support for additional zone file formats for improving - loading performance. The masterfile-format option in - named.conf can be used to specify a non-default format. A - separate command named-compilezone was provided to generate - zone files in the new format. Additionally, the -I and -O - options for dnssec-signzone specify the input and output - formats. - - dnssec-signzone can now randomize signature end times - (dnssec-signzone -j jitter). - - Add support for CH A record. - - Add additional zone data constancy checks. named-checkzone - has extended checking of NS, MX and SRV record and the hosts - they reference. named has extended post zone load checks. - New zone options: check-mx and integrity-check. - - - edns-udp-size can now be overridden on a per server basis. - - dig can now specify the EDNS version when making a query. - - Added framework for handling multiple EDNS versions. - - Additional memory debugging support to track size and mctx - arguments. - - Detect duplicates of UDP queries we are recursing on and - drop them. New stats category "duplicates". - - "USE INTERNAL MALLOC" is now runtime selectable. - - The lame cache is now done on a <qname,qclass,qtype> basis - as some servers only appear to be lame for certain query - types. - - Limit the number of recursive clients that can be waiting - for a single query (<qname,qtype,qclass>) to resolve. New - options clients-per-query and max-clients-per-query. - - dig: report the number of extra bytes still left in the - packet after processing all the records. - - Support for IPSECKEY rdata type. - - Raise the UDP recieve buffer size to 32k if it is less than 32k. - - x86 and x86_64 now have seperate atomic locking implementations. - - named-checkconf now validates update-policy entries. - - Attempt to make the amount of work performed in a iteration - self tuning. The covers nodes clean from the cache per - iteration, nodes written to disk when rewriting a master - file and nodes destroyed per iteration when destroying a - zone or a cache. - - ISC string copy API. - - Automatic empty zone creation for D.F.IP6.ARPA and friends. - Note: RFC 1918 zones are not yet covered by this but are - likely to be in a future release. - - New options: empty-server, empty-contact, empty-zones-enable - and disable-empty-zone. - - dig now has a '-q queryname' and '+showsearch' options. - - host/nslookup now continue (default)/fail on SERVFAIL. - - dig now warns if 'RA' is not set in the answer when 'RD' - was set in the query. host/nslookup skip servers that fail - to set 'RA' when 'RD' is set unless a server is explicitly - set. - - Integrate contibuted DLZ code into named. - - Integrate contibuted IDN code from JPNIC. - - libbind: corresponds to that from BIND 8.4.7. - -BIND 9.3.0 - - BIND 9.3.0 has a number of new features over 9.2, - including: - - DNSSEC is now DS based (RFC 3658). - See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. - - DNSSEC lookaside validation. - - check-names is now implemented. - rrset-order in more complete. - - IPv4/IPv6 transition support, dual-stack-servers. - - IXFR deltas can now be generated when loading master files, - ixfr-from-differences. - - It is now possible to specify the size of a journal, max-journal-size. - - It is now possible to define a named set of master servers to be - used in masters clause, masters. - - The advertised EDNS UDP size can now be set, edns-udp-size. - - allow-v6-synthesis has been obsoleted. - - NOTE: - * Zones containing MD and MF will now be rejected. - * dig, nslookup name. now report "Not Implemented" as - NOTIMP rather than NOTIMPL. This will have impact on scripts - that are looking for NOTIMPL. - - libbind: corresponds to that from BIND 8.4.5. - -BIND 9.2.0 - - BIND 9.2.0 has a number of new features over 9.1, - including: - - - The size of the cache can now be limited using the - "max-cache-size" option. - - - The server can now automatically convert RFC1886-style - recursive lookup requests into RFC2874-style lookups, - when enabled using the new option "allow-v6-synthesis". - This allows stub resolvers that support AAAA records - but not A6 record chains or binary labels to perform - lookups in domains that make use of these IPv6 DNS - features. - - - Performance has been improved. - - - The man pages now use the more portable "man" macros - rather than the "mandoc" macros, and are installed - by "make install". - - - The named.conf parser has been completely rewritten. - It now supports "include" directives in more - places such as inside "view" statements, and it no - longer has any reserved words. - - - The "rndc status" command is now implemented. - - - rndc can now be configured automatically. - - - A BIND 8 compatible stub resolver library is now - included in lib/bind. - - - OpenSSL has been removed from the distribution. This - means that to use DNSSEC, OpenSSL must be installed and - the --with-openssl option must be supplied to configure. - This does not apply to the use of TSIG, which does not - require OpenSSL. - - - The source distribution now builds on Windows. - See win32utils/readme1.txt and win32utils/win32-build.txt - for details. - - This distribution also includes a new lightweight stub - resolver library and associated resolver daemon that fully - support forward and reverse lookups of both IPv4 and IPv6 - addresses. This library is considered experimental and - is not a complete replacement for the BIND 8 resolver library. - Applications that use the BIND 8 res_* functions to perform - DNS lookups or dynamic updates still need to be linked against - the BIND 8 libraries. For DNS lookups, they can also use the - new "getrrsetbyname()" API. - - BIND 9.2 is capable of acting as an authoritative server - for DNSSEC secured zones. This functionality is believed to - be stable and complete except for lacking support for - verifications involving wildcard records in secure zones. - - When acting as a caching server, BIND 9.2 can be configured - to perform DNSSEC secure resolution on behalf of its clients. - This part of the DNSSEC implementation is still considered - experimental. For detailed information about the state of the - DNSSEC implementation, see the file doc/misc/dnssec. - - There are a few known bugs: - - On some systems, IPv6 and IPv4 sockets interact in - unexpected ways. For details, see doc/misc/ipv6. - To reduce the impact of these problems, the server - no longer listens for requests on IPv6 addresses - by default. If you need to accept DNS queries over - IPv6, you must specify "listen-on-v6 { any; };" - in the named.conf options statement. - - FreeBSD prior to 4.2 (and 4.2 if running as non-root) - and OpenBSD prior to 2.8 log messages like - "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". - This is due to a bug in "/dev/random" and impacts the - server's DNSSEC support. - - OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and - OS X 10.2 (Darwin 6.0) reports errors like - "fcntl(3, F_SETFL, 4): Operation not supported by device". - This is due to a bug in "/dev/random" and impacts the - server's DNSSEC support. - - --with-libtool does not work on AIX. - - A bug in some versions of the Microsoft DNS server can cause zone - transfers from a BIND 9 server to a W2K server to fail. For details, - see the "Zone Transfers" section in doc/misc/migration. + For a summary of functional enhancements in previous + releases, see the HISTORY file. For a detailed list of user-visible changes from previous releases, see the CHANGES file. +BIND 9.8.0 + + BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier + releases. New features include: + + - Built-in trust anchor for the root zone, which can be + switched on via "dnssec-validation auto;" + - Support for DNS64. + - Support for response policy zones (RPZ). + - Support for writable DLZ zones. + - Improved ease of configuration of GSS/TSIG for + interoperability with Active Directory + - Support for GOST signing algorithm for DNSSEC. + - Removed RTT Banding from server selection algorithm. + - New "static-stub" zone type. + - Allow configuration of resolver timeouts via + "resolver-query-timeout" option. + +BIND 9.7.0 + + BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier + releases. Most are intended to simplify DNSSEC configuration. + + New features include: + + - Fully automatic signing of zones by "named". + - Simplified configuration of DNSSEC Lookaside Validation (DLV). + - Simplified configuration of Dynamic DNS, using the "ddns-confgen" + command line tool or the "local" update-policy option. (As a side + effect, this also makes it easier to configure automatic zone + re-signing.) + - New named option "attach-cache" that allows multiple views to + share a single cache. + - DNS rebinding attack prevention. + - New default values for dnssec-keygen parameters. + - Support for RFC 5011 automated trust anchor maintenance + - Smart signing: simplified tools for zone signing and key + maintenance. + - The "statistics-channels" option is now available on Windows. + - A new DNSSEC-aware libdns API for use by non-BIND9 applications + - On some platforms, named and other binaries can now print out + a stack backtrace on assertion failure, to aid in debugging. + - A "tools only" installation mode on Windows, which only installs + dig, host, nslookup and nsupdate. + - Improved PKCS#11 support, including Keyper support and explicit + OpenSSL engine selection. + + Known issues in this release: + + - In rare cases, DNSSEC validation can leak memory. When this + happens, it will cause an assertion failure when named exits, + but is otherwise harmless. A fix exists, but was too late for + this release; it will be included in BIND 9.7.1. + + Compatibility notes: + + - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, + ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then + you should ensure that all changes that are in progress have + completed prior to upgrading to BIND 9.7. BIND 9.7 implements + those features in a way which is not backwards compatible. + + - Prior releases had a bug which caused HMAC-SHA* keys with long + secrets to be used incorrectly. Fixing this bug means that older + versions of BIND 9 may fail to interoperate with this version + when using TSIG keys. If this occurs, the new "isc-hmac-fixup" + tool will convert a key with a long secret into a form that works + correctly with all versions of BIND 9. See the "isc-hmac-fixup" + man page for additional details. + + - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID. + It is possible for the new key ID to collide with that of a + different key. Newly generated keys will not have this problem, + as "dnssec-keygen" looks for potential collisions before + generating keys, but exercise caution if using key revokation + with keys that were generated by older versions of BIND 9. See + the Administrator's Reference Manual, section 4.10 ("Dynamic + Trust Anchor Management") for more details. + + - A bug was fixed in which a key's scheduled inactivity date was + stored incorectly. Users who participated in the 9.7.0 BETA test + and had DNSSEC keys with scheduled inactivity dates will need to + reset those keys' dates using "dnssec-settime -I". Building @@ -417,7 +144,7 @@ Building FreeBSD 4.10, 5.2.1, 6.2 HP-UX 11.11 Mac OS X 10.5 - NetBSD 3.x and 4.0-beta + NetBSD 3.x, 4.0-beta, 5.0-beta OpenBSD 3.3 and up Solaris 8, 9, 9 (x86), 10 Ubuntu 7.04, 7.10 @@ -594,6 +321,9 @@ Documentation Frequently asked questions and their answers can be found in FAQ. + Additional information on various subjects can be found + in the other README files. + Bug Reports and Mailing Lists |