|
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture.
BIND 9.5 is a previous major release. It is still supported, and bug fixes and security fixes will be made available as minor releases. No new features will be added. Some of the important features of BIND 9 are:
|
[ Downloads ]
[ Notes ] [ Documentation ] [ Building BIND ] [ Release Notes ] [ Bug Reports / Mail Lists ] [ Upcoming Fixes ] |
All ISC software is signed with our OpenPGP Key You can download ISC software either from our master site, or at a number of mirror sites across the globe. | ||||
|
BIND 9.5 has a number of new features over previous versions, including: GSS-TSIG support (RFC 3645). DHCID support. Experimental http server and statistics support for named via xml. More detailed statistics counters, compatible with the ones supported in BIND 8. Faster ACL processing. Use of Doxygen to generate internal documentation. Efficient LRU cache cleaning mechanism. NSID support (RFC 5001).
|
|
BIND 9.5 Administrator Reference Manual
The BIND 9 Administrator Reference Manual is included with the source distribution in DocBook XML and HTML format, in the doc/arm directory. Some of the programs in the BIND 9 distribution have man pages under the doc/man directory. In particular, the command line options of "named" are documented in doc/man/bind/named.8. There is now also a set of man pages for the lwres library. If you are upgrading from BIND 8, please read the migration notes in doc/misc/migration. If you are upgrading from BIND 4, read doc/misc/migration-4to9. Frequently asked questions and their answers can be found in the FAQ. For detailed information about new features in this release, see New features in BIND 9.5. |
|
BIND 9 currently requires a UNIX system with an ANSI C compiler, basic
POSIX support, and a 64 bit integer type.
We've had successful builds and tests on the following systems:
To build, just
./configureDo not use a parallel "make". Several environment variables that can be set before running configure will affect compilation:
CC
CFLAGS
STD_CINCLUDES
STD_CDEFINES To build shared libraries, specify "--with-libtool" on the configure command line. For the server to support DNSSEC, you need to build it with crypto support. You must have OpenSSL 0.9.5a or newer installed and specify "--with-openssl" on the configure command line. If OpenSSL is installed under a nonstandard prefix, you can tell configure where to look for it using "--with-openssl=/prefix". To build libbind (BIND 8 resolver library), specify "--enable-libbind" on the configure command line. On some platforms, BIND 9 can be built with multithreading support, allowing it to take advantage of multiple CPUs. You can specify whether to build a multithreaded BIND 9 by specifying "--enable-threads" or "--disable-threads" on the configure command line. The default is operating system dependent. If your operating system has integrated support for IPv6, it will be used automatically. If you have installed KAME IPv6 separately, use "--with-kame[=PATH]" to specify its location. "make install" will install "named" and the various BIND 9 libraries. By default, installation is into /usr/local, but this can be changed with the "--prefix" option when running "configure". You may specify the option "--sysconfdir" to set the directory where configuration files like "named.conf" go by default, and "--localstatedir" to set the default parent directory of "run/named.pid". For backwards compatibility with BIND 8, --sysconfdir defaults to "/etc" and --localstatedir defaults to "/var" if no --prefix option is given. If there is a --prefix option, sysconfdir defaults to "$prefix/etc" and localstatedir defaults to "$prefix/var". To see additional configure options, run "configure --help". Note that the help message does not reflect the BIND 8 compatibility defaults for sysconfdir and localstatedir. If you're planning on making changes to the BIND 9 source, you should also "make depend". If you're using Emacs, you might find "make tags" helpful. Building with gcc is not supported, unless gcc is the vendor's usual compiler (e.g. the various BSD systems, Linux). Known compiler issues:
A limited test suite can be run with "make test". Many of the tests require you to configure a set of virtual IP addresses on your system, and some require Perl; see bin/tests/system/README for details. |
BIND 9.5.1-P3 is now available.
BIND 9.5.1-P3 is the THIRD SECURITY PATCH for BIND 9.5.1. It addresses a
denial-of-service bug in which a malformed UPDATE packet caused named to
crash.
Bugs should be reported to bind9-bugs@isc.org.
BIND 9.5.1-P3 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
PGP signatures of the distribution are at:
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz.sha512.asc
The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip
PGP signatures of the binary kit are at:
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.1-P3/BIND9.5.1-P3.debug.zip.sha512.asc
Changes since 9.5.1-P2:
2640. [security] A specially crafted update packet will cause named
to exit. [RT #20000]
|
|
Bug reports should be sent to:
bind9-bugs@isc.org
Please check the list of upcoming fixes below before submitting a bug report To join the BIND Users mailing list, send mail to: bind-users-request@isc.org. If you're planning on making changes to the BIND 9 source code, you might want to join the BIND Workers mailing list. Send mail to: bind-workers-request@isc.org |
| 2850. | [bug] | If isc_heap_insert() failed due to memory shortage the heap would have corrupted entries. [RT #20951] |
| 2849. | [bug] | Don't treat errors from the xml2 library as fatal. |
| 2846. | [bug] | EOF on unix domain sockets was not being handled correctly. [RT #20731] |
| 2844. | [doc] | notify-delay default in ARM was wrong. It should have been five (5) seconds. |
| 2837. | [port] | Prevent Linux spurious warnings about fwrite(). |
| 2831. | [security] | Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] |
| 2828. | [security] | Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] |
| 2827. | [security] | Bogus NXDOMAIN could be cached as if valid. [RT #20712] |
| 2819. | [cleanup] | Removed unnecessary DNS_POINTER_MAXHOPS define |
| 2818. | [cleanup] | rndc could return an incorrect error code when a zone was not found. [RT #20767] |
| 2815. | [bug] | Exclusively lock the task when freezing a zone. |
| 2814. | [func] | Provide a definitive error message when a master zone is not loaded. [RT #20757] |
| 2797. | [bug] | Don't decrement the dispatch manager's maxbuffers. |
| 2790. | [bug] | Handle DS queries to stub zones. [RT #20440] |
| 2786. | [bug] | Additional could be promoted to answer. [RT #20663] |
| 2784. | [bug] | TC was not always being set when required glue was dropped. [RT #20655] |
| 2783. | [func] | Return minimal responses to EDNS/UDP queries with a UDP buffer size of 512 or less. [RT #20654] |
| 2782. | [port] | win32: use getaddrinfo() for hostname lookups. |
| 2777. | [contrib] | DLZ MYSQL auto reconnect support discovery was wrong. |
| 2772. | [security] | When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] |
| 2765. | [bug] | Skip masters for which the TSIG key cannot be found. |
| 2760. | [cleanup] | Corrected named-compilezone usage summary. [RT #20533] |
| 2759. | [doc] | Add information about .jbk/.jnw files to the ARM. [RT #20303] |
| 2758. | [bug] | win32: Added a workaround for a windows 2008 bug that could cause the UDP client handler to shut down. [RT #19176] |
| 2757. | [bug] | dig: assertion failure could occur in connect timeout. [RT #20599] |
| 2755. | [doc] | Clarify documentation of keyset- files in dnssec-signzone man page. [RT #19810] |
| 2750. | [bug] | dig: assertion failure could occur when a server didn't have an address. [RT #20579] |
| 2729. | [func] | When constructing a CNAME from a DNAME use the DNAME |
| 2723. | [bug] | isc_base64_totext() didn't always mark regions of memory as fully consumed after conversion. [RT #20445] |
| 2722. | [bug] | Ensure that the memory associated with the name of a node in a rbt tree is not altered during the life of the node. [RT #20431] |
| 2721. | [port] | Have dst__entropy_status() prime the random number generator. [RT #20369] |
| 2718. | [bug] | The space calculations in opensslrsa_todns() were incorrect. [RT #20394] |
| 2716. | [bug] | nslookup debug mode didn't return the ttl. [RT #20414] |
| 2715. | [bug] | Require OpenSSL support to be explicitly disabled. |
| 2714. | [port] | aix/powerpc: 'asm("ics");' needs non standard assembler flags. |
| 2713. | [bug] | powerpc: atomic operations missing asm("ics") / __isync() calls. |
| 2705. | [bug] | Reconcile the XML stats version number with a later BIND9 release, by adding a "name" attribute to "cache" elements and increasing the version number to 2.2. (This is a minor version change, but may affect XML parsers if they assume the cache element doesn't take an attribute.) |
| 2704. | [bug] | Serial of dynamic and stub zones could be inconsistent with their SOA serial. [RT #19387] |
| 2701. | [doc] | Correction to ARM: hmac-md5 is no longer the only supported TSIG key algorithm. [RT #18046] |
| 2700. | [doc] | The match-mapped-addresses option is discouraged. |
| 2698. | [cleanup] | configure --enable-libbind is deprecated. [RT #20090] |
| 2697. | [port] | win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and S_IFREG are defined after including <isc/stat.h>. |
| 2696. | [bug] | named failed to successfully process some valid acl constructs. [RT #20308] |
| 2692. | [port] | win32: 32/64 bit cleanups. [RT #20335] |
| 2690. | [bug] | win32: fix isc_thread_key_getspecific() prototype. |
| 2689. | [bug] | Correctly handle snprintf result. [RT #20306] |
| 2688. | [bug] | Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, to decide to fetch the destination address. [RT #20305] |
| 2659. | [doc] | Clarify dnssec-keygen doc: key name must match zone name for DNSSEC keys. [RT #19938] |
| 2601. | [doc] | Mention file creation mode mask in the named manual page. |
| 2533. | [doc] | ARM: document @ (at-sign). [RT #17144] |
| --- 9.5.2 released --- |
||
| 2681. | [bug] | IPSECKEY RR of gateway type 3 was not correctly decoded. [RT #20269] |
| 2678. | [func] | Treat DS queries as if "minimal-response yes;" was set. [RT #20258] |
| 2427. | [func] | Treat DNSKEY queries as if "minimal-response yes;" was set. [RT #18528] |
| --- 9.5.2rc1 released --- |
||
| 2672. | [bug] | Don't enable searching in 'host' when doing reverse lookups. [RT #20218] |
| 2670. | [bug] | Unexpected connect failures failed to log enough information to be useful. [RT #20205] |
| 2663. | [func] | win32: allow named to run as a service using "NT AUTHORITY\LocalService" as the account. [RT #19977] |
| 2656. | [func] | win32: add a "tools only" check box to the installer which causes it to only install dig, host, nslookup, nsupdate and relevent dlls. [RT #19998] |
| 2655. | [doc] | Document that key-directory does not affect rndc.key. [RT #20155] |
| --- 9.5.2b1 released --- |
||
| 2649. | [bug] | Set the domain for forward only zones. [RT #19944] |
| 2648. | [port] | win32: isc_time_seconds() was broken. [RT #19900] |
| 2646. | [bug] | Incorrect cleanup on error in socket.c. [RT #19987] |
| 2645. | [port] | "gcc -m32" didn't work on amd64 and x86_64 platforms which default to 64 bits. [RT #19927] |
| 2642. | [bug] | nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] |
| 2640. | [security] | A specially crafted update packet will cause named to exit. [RT #20000] |
| 2637. | [func] | Rationalize dnssec-signzone's signwithkey() calling. |
| 2635. | [bug] | isc_inet_ntop() incorrectly handled 0.0/16 addresses. |
| 2633. | [bug] | Handle 15 bit rand() functions. [RT #19783] |
| 2632. | [func] | util/kit.sh: warn if documentation appears to be out of date. [RT #19922] |
| 2623. | [bug] | Named started seaches for DS non-optimally. [RT #19915] |
| 2621. | [doc] | Made copyright boilterplate consistent. [RT #19833] |
| 2920. | [bug] | Delay thawing the zone until the reload of it has completed successfully. [RT #19750] |
| 2618. | [bug] | The sdb and sdlz db_interator_seek() methods could loop infinitely. [RT #19847] |
| 2617. | [bug] | ifconfig.sh failed to emit an error message when run from the wrong location. [RT #19375] |
| 2616. | [bug] | 'host' used the nameservers from resolv.conf even when a explicit nameserver was specified. [RT #19852] |
| 2615. | [bug] | "__attribute__((unused))" was in the wrong place for ia64 gcc builds. [RT #19854] |
| 2614. | [port] | win32: 'named -v' should automatically be executed in the foreground. [RT #19844] |
| 2610. | [port] | sunos: Change #2363 was not complete. [RT #19796] |
| 2606. | [bug] | "delegation-only" was not being accepted in delegation-only type zones. [RT #19717] |
| 2605. | [bug] | Accept DS responses from delegation only zones. |
| 2603. | [port] | win32: handle .exe extension of named-checkzone and named-comilezone argv[0] names under windows. |
| 2602. | [port] | win32: fix debugging command line build of libisccfg. |
| 2599. | [bug] | Address rapid memory growth when validation fails. |
| 2596. | [bug] | Stale tree nodes of cache/dynamic rbtdb could stay long, leading to inefficient memory usage or rejecting newer cache entries in the worst case. [RT #19563] |
| 2595. | [bug] | Fix unknown extended rcodes in dig. [RT #19625] |
| 2592. | [bug] | Treat "any" as a type in nsupdate. [RT #19455] |
| 2591. | [bug] | named could die when processing a update in removed_orphaned_ds(). [RT #19507] |
| 2589. | [bug] | dns_db_unregister() failed to clear '*dbimp'. |
| 2586. | [bug] | Missing cleanup of SIG rdataset in searching a DLZ DB or SDB. [RT #19577] |
| 2585. | [bug] | Uninitialized socket name could be referenced via a statistics channel, triggering an assertion failure in XML rendering. [RT #19427] |
| 2584. | [bug] | alpha: gcc optimization could break atomic operations. |
| 2583. | [port] | netbsd: provide a control to not add the compile date to the version string, -DNO_VERSION_DATE. |
| 2582. | [bug] | Don't emit warning log message when we attempt to remove non-existent journal. [RT #19516] |
| 2581. | [contrib] | dlz/mysql set MYSQL_OPT_RECONNECT option on connection. Requires MySQL 5.0.19 or later. [RT #19084] |
| 2580. | [bug] | UpdateRej statistics counter could be incremented twice for one rejection. [RT #19476] |
| 2579. | [bug] | DNSSEC lookaside validation failed to handle unknown algorithms. [RT #19479] |
| 2577. | [doc] | Clarified some statistics counters. [RT #19454] |
| 2573. | [bug] | Replacing a non-CNAME record with a CNAME record in a single transaction in a signed zone failed. [RT #19397] |
| 2568. | [bug] | Report when the write to indicate a otherwise successful start fails. [RT #19360] |
| 2567. | [bug] | dst__privstruct_writefile() could miss write errors. write_public_key() could miss write errors. |
| 2564. | [bug] | Only take EDNS fallback steps when processing timeouts. |
| 2563. | [bug] | Dig could leak a socket causing it to wait forever to exit. [RT #19359] |
| 2562. | [doc] | ARM: miscellaneous improvements, reorganization, and some new content. |
| 2561. | [doc] | Add isc-config.sh(1) man page. [RT #16378] |
| 2560. | [bug] | Add #include <config.h> to iptable.c. [RT #18258] |
| 2557. | [cleanup] | PCI compliance: * new libisc log module file * isc_dir_chroot() now also changes the working directory to "/". * additional INSISTs * additional logging when files can't be removed. |
| 2553. | [bug] | Reference leak on DNSSEC validation errors. [RT #19291] |
| 2552. | [bug] | zero-no-soa-ttl-cache was not being honoured. |
| 2551. | [bug] | Potential Reference leak on return. [RT #19341] |
| 2550. | [bug] | Check --with-openssl=<path> finds <openssl/opensslv.h>. |
| 2549. | [port] | linux: define NR_OPEN if not currently defined. |
| 2547. | [bug] | openssl_link.c:mem_realloc() could reference an out-of-range area of the source buffer. New public function isc_mem_reallocate() was introduced to address this bug. [RT #19313] |
| 2545. | [doc] | ARM: Legal hostname checking (check-names) is for SRV RDATA too. [RT #19304] |
| 2544. | [cleanup] | Removed unused structure members in adb.c. [RT #19225] |
| 2542. | [doc] | Update the description of dig +adflag. [RT #19290] |
| 2541. | [bug] | Conditionally update dispatch manager statistics. |
| 2539. | [security] | Update the interaction between recursion, allow-query, allow-query-cache and allow-recursion. [RT #19198] |
| 2538. | [bug] | cache/ADB memory could grow over max-cache-size, especially with threads and smaller max-cache-size values. [RT #19240] |
| 2537. | [experimental] | Added more statistics counters including those on socket I/O events and query RTT histograms. [RT #18802] |
| 2536. | [cleanup] | Silence some warnings when -Werror=format-security is specified. [RT #19083] |
| 2535. | [bug] | dig +showsearch and +trace interacted badly. [RT #19091] |
| 2532. | [bug] | dig: check the question section of the response to see if it matches the asked question. [RT #18495] |
| 2531. | [bug] | Change #2207 was incomplete. [RT #19098] |
| 2529. | [cleanup] | Upgrade libtool to silence complaints from recent version of autoconf. [RT #18657] |
| 2528. | [cleanup] | Silence spurious configure warning about --datarootdir [RT #19096] |
| 2527. | [bug] | named could reuse cache on reload with enabling/disabling validation. [RT #19119] |
| 2525. | [experimental] | New logging category "query-errors" to provide detailed internal information about query failures, especially about server failures. [RT #19027] |
| 2523. | [bug] | Random type rdata freed by dns_nsec_typepresent(). |
| 2522. | [security] | Handle -1 from DSA_do_verify(). |
| 2521. | [bug] | Improve epoll cross compilation support. [RT #19047] |
| 2519. | [bug] | dig/host with -4 or -6 didn't work if more than two nameserver addresses of the excluded address family preceded in resolv.conf. [RT #19081] |
| 2517. | [bug] | dig +trace with -4 or -6 failed when it chose a nameserver address of the excluded address type. |
| 2516. | [bug] | glue sort for responses was performed even when not needed. [RT #19039] |
| 2514. | [bug] | dig/host failed with -4 or -6 when resolv.conf contains a nameserver of the excluded address family. |
| 2511. | [cleanup] | dns_rdata_tofmttext() add const to linebreak. |
| 2506. | [port] | solaris: Check at configure time if hack_shutup_pthreadonceinit is needed. [RT #19037] |
| 2505. | [port] | Treat amd64 similarly to x86_64 when determining atomic operation support. [RT #19031] |
| 2503. | [port] | linux: improve compatibility with Linux Standard Base. [RT #18793] |
| 2502. | [cleanup] | isc_radix: Improve compliance with coding style, document function in <isc/radix.h>. [RT #18534] |
| 2500. | [contrib] | contrib/sdb/pgsql/zonetodb.c called non-existent function. [RT #18582] |
| 2499. | [port] | solaris: lib/lwres/getaddrinfo.c namespace clash. |