Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. BIND 8 to BIND 9 Migration Notes includes BIND 9.2.4 to BIND 9.3.4 changes BIND 9 is designed to be mostly upwards compatible with BIND 8, but there is still a number of caveats you should be aware of when upgrading an existing BIND 8 installation to use BIND 9. Introduction ------------ This document provides information about differences between BIND 8 and BIND 9. BIND 9 is upwards compatible with most BIND 8 features. However, there are still a number of caveats you should be aware of when upgrading an existing BIND 8 installation to use BIND 9. Be sure to read this entire document before installing and using BIND 9. This document contains the following sections: * Section A, 1-7 Overview of Differences Between BIND 8 and BIND 9 * Section 8 BIND 9 name server and the Service Management Facility * Appendix I Implementing rndc * Appendix II BIND 9 Commands, Options, Files, and Tools * Appendix III The named.conf Options Additional information and documentation about BIND 9, including an Administrator Reference Manual (ARM) is available on the ISC web site at http://www.isc.org The words "named", "DNS server", "name server" and "BIND 9 server" are used interchangeably to denote the Internet Systems Consortium BIND version 9 DNS server throughout this document. Overview of Differences Between BIND 8 and BIND 9 ------------------------------------------------- Below is a list of changes between BIND 8 and BIND 9, including brief descriptions. For more detailed information, see the appropriate subsection for each item. Configuration File Compatibility, Section 1.0 * unimplemented options warning message 1.1 * "transfer-format" option changes 1.1 * configuration file errors 1.2 * logging categories have changed 1.3 * configuration file startup errors 1.3 * "query-source" is deprecated 1.4 * multiple classes change 1.5 Zone File Compatibility, Section 2.0 * stricter rules for TTLs in zone file 2.1 * SOA serial number changes 2.2 * unbalanced quotes cause errors 2.3 * line breaks, syntax change 2.4 * use /$ instead of $$ in domain names 2.5 Interoperability Impact of New Protocol Features, Section 3.0 * EDNS0 new in BIND 9 3.1 * zone transfers default change 3.2 Unrestricted Character Set, Section 4.0 * no restrictions on character set 4.0 * security issue, improper naming 4.0 Server Administration Tools, Section 5.0 * the rndc program replaces ndc 5.1 * nsupdate: changes in multiple updates 5.2 No Information Leakage Between Zones, Section 6.0 * glue NS records handled differently 6.0 Umask Not Modified, Section 7.0 * possible umask permissions issues 7.0 1. Configuration File Compatibility 1.1. Unimplemented Options and Changed Defaults The BIND 9 name server supports most, but not all, of the configuration options of the BIND 8 name server. For a complete list of implemented options, see Appendix III of this document. If your named.conf file uses an unimplemented option, the BIND 9 name server will log a warning message. A message is also logged about each option whose default has changed unless the option is set explicitly in named.conf. The default of the "transfer-format" option has changed from "one-answer" to "many-answers". If you have slave servers that do not understand the "many-answers" zone transfer format (e.g., BIND 4.9.5 and older) you need to explicitly specify "transfer-format one-answer;" in either the options block or a server statement. 1.2. Handling of Configuration File Errors In BIND 9, named refuses to start if it detects an error in named.conf. Earlier versions would start despite errors, causing the server to run with a partial configuration. Errors detected during subsequent reloads do not cause the server to exit. Errors in master files do not cause the server to exit, but they do cause the zone not to load. 1.3. Logging The set of logging categories in BIND 9 is different from that in BIND 8. If you have customized your logging on a per-category basis, you need to modify your logging statement to use the new categories. Another difference is that the "logging" statement only takes effect after the entire named.conf file has been read. This means that when the server starts up, any messages about errors in the configuration file are always logged to the default destination (syslog) when the server first starts up, regardless of the contents of the "logging" statement. In BIND 8, the new logging configuration took effect immediately after the "logging" statement was read. 1.4. Notify Messages and Refresh Queries The source address and port for these is now controlled by "notify-source" and "transfer-source", respectively, rather than "query-source" as in BIND 8. 1.5. Multiple Classes Multiple classes have to be put into explicit views for each class. 2. Zone File Compatibility 2.1. Strict RFC1035 Interpretation of TTLs in Zone Files BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding omitted time-to-live (TTL) entries in zone files. Omitted TTLs are replaced by the value specified with the $TTL directive, or by the previous explicit TTL if there is no $TTL directive. If there is no $TTL directive and the first Resource Record (RR) in the file does not have an explicit TTL field, the zone file is illegal according to RFC1035 since the TTL of the first RR is undefined. Unfortunately, BIND 4 and many versions of BIND 8 accept such files without warning and use the value of the SOA MINTTL field as a default for missing TTL values. Earlier versions of BIND 9 refused to load such files. However, BIND 9.2.4 loads the files anyway (provided the SOA is the first record in the file), but will issue a TTL warning message. To avoid problems, we recommend that you use a $TTL directive in each zone file. 2.2. Periods in SOA Serial Numbers Deprecated Some versions of BIND allow SOA serial numbers with an embedded period, like "3.002", and convert them into integers in a rather unintuitive way. This feature is not supported by BIND 9; serial numbers must be integers. 2.3. Handling of Unbalanced Quotes TXT records with unbalanced quotes, like 'host TXT "foo', were not treated as errors in some versions of BIND. If your zone files contain such records, you will get potentially confusing error messages like "unexpected end of file" because BIND 9 will interpret everything up to the next quote character as a literal string. 2.4. Handling of Line Breaks Some versions of BIND accept RRs containing line breaks that are not properly quoted with parentheses, like the following SOA: @ IN SOA ns.example. hostmaster.example. ( 1 3600 1800 1814400 3600 ) This is not legal master file syntax and will be treated as an error by BIND 9. The fix is to move the opening parenthesis to the first line. 2.5. Unimplemented BIND 8 Extensions $GENERATE: The "$$" construct for getting a literal $ into a domain name is deprecated. Use \$ instead. 2.6. TXT records are no longer automatically split. Some versions of BIND accepted strings TXT RDATA that contained more than 255 characters and silently split them in to multiple RDATA records to comply with protocol. This feature has been removed, and the following error is produced upon reading these records: "dns_rdata_fromtext: local.db:119: ran out of space" To address split the string in the zone data file at or before the 255 character in to two or more TXT records. 3. Interoperability Impact of New Protocol Features 3.1. EDNS0 BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It also sets an EDNS flag bit in queries to indicate that it wishes to receive DNSSEC responses; this flag bit usage is not yet standardised, but we hope it will be. Most older servers that do not support EDNS0, including prior versions of BIND, will send a FORMERR or NOTIMP response to these queries. When this happens, BIND 9 will automatically retry the query without EDNS0. Unfortunately, there exists at least one non-BIND name server implementation that silently ignores these queries instead of sending an error response. Resolving names in zones where all or most authoritative servers use this server will be very slow or fail completely. The manufacturer of the name server is working on a solution. When BIND 9 communicates with a server that does support EDNS0, such as another BIND 9 server, responses of up to 4096 bytes may be transmitted as a single UDP datagram which is subject to fragmentation at the IP level. If a firewall incorrectly drops IP fragments, it can cause resolution to slow down dramatically or fail. 3.2. Zone Transfers Outgoing zone transfers now use the "many-answers" format by default. This format is not understood by certain old versions of BIND 4. You can work around this problem using the option "transfer-format one-answer;", but since these old versions all have known security problems, the correct fix is to upgrade the slave servers. Zone transfers to Windows 2000 DNS servers sometimes fail due to a bug in the Windows 2000 DNS server where DNS messages larger than 16K are not handled properly. Obtain the latest service pack for Windows 2000 from Microsoft to address this issue. In the meantime, the problem can be worked around by setting "transfer-format one-answer;". http://support.microsoft.com/default.aspx?scid=kb;en-us;297936 4. Unrestricted Character Set BIND 9 does not restrict the character set of domain names; it is fully 8-bit clean in accordance with RFC2181 section 11. It is strongly recommended that hostnames published in the DNS follow the RFC952 rules, but BIND 9.2.4 and above will not enforce this restriction. Historically, some applications have suffered from security flaws where data originating from the network, such as names returned by gethostbyaddr(), are used with insufficient checking and may cause a breach of security when containing unexpected characters; see for details. Some earlier versions of BIND attempt to protect these flawed applications from attack by discarding data containing characters deemed inappropriate in host names or mail addresses, under the control of the "check-names" option in named.conf and/or "options no-check-names" in resolv.conf. BIND 9.2.4 provided no such protection; advice was that applications with these flaws should be upgraded. Subsequently however, BIND 9.3.x implements 'check-names'. 5. Server Administration Tools 5.1 ndc Replaced by rndc The "ndc" program has been replaced by "rndc", which is capable of remote operation. Unlike ndc, rndc requires a configuration file. The easiest way to generate a configuration file is to run "rndc-confgen -a"; see the man pages for rndc(1M), rndc-confgen(1M), and rndc.conf(5) for details. While upgrading from previous Solaris releases to Solaris 10, the upgrade process will detect if a /etc/rndc.key or /etc/rndc.conf file exists. If neither file is found, it runs "rndc-confgen -a" and generates /etc/rndc.key so that rndc can be run with a local DNS name server without further user intervention. More information about rndc is available in "Implementing rndc", later in this document. 5.2. nsupdate Differences The BIND 8 implementation of nsupdate had an undocumented feature where an update request would be broken down into multiple requests based upon the discovered zones that contained the records. This behaviour has not been implemented in BIND 9. Each update request must pertain to a single zone, but it is still possible to do multiple updates in a single invocation of nsupdate by terminating each update with an empty line or a "send" command. 6. No Information Leakage Between Zones BIND 9 stores the authoritative data for each zone in a separate data structure, as recommended in RFC1035 and as required by DNSSEC and IXFR. When a BIND 9 server is authoritative for both a child zone and its parent, it will have two distinct sets of NS records at the delegation point: the authoritative NS records at the child's apex, and a set of glue NS records in the parent. BIND 8 was unable to properly distinguish between these two sets of NS records and would "leak" the child's NS records into the parent, effectively causing the parent zone to be silently modified: responses and zone transfers from the parent contained the child's NS records rather than the glue configured into the parent (if any). In the case of children of type "stub", this behaviour was documented as a feature, allowing the glue NS records to be omitted from the parent configuration. Sites that were relying on this BIND 8 behaviour need to add any omitted glue NS records, and any necessary glue A records, to the parent zone. Although stub zones can no longer be used as a mechanism for injecting NS records into their parent zones, they are still useful as a way of directing queries for a given domain to a particular set of name servers. 7. Umask Not Modified The BIND 8 named unconditionally sets the umask to 022. BIND 9 does not; the umask inherited from the parent process remains in effect. This may cause files created by named, such as journal files, to be created with different file permissions than they did in BIND 8. If necessary, the umask should be set explicitly in the script used to start the named process. 8. BIND 9 name server and the Service Management Facility The DNS BIND 9 named(1M) service can be managed by using the Service Management Facility (SMF). For more information, see the smf(5) man page. The SUNWbindr package provides the BIND 9 service manifest and must be installed. When you use SMF, the following items apply. - Administrative actions on this service, such as enabling, disabling, or restarting, can be performed by using the svcadm(1M) command. - The default Fault Managed Resource Identifier (FMRI) for the BIND 9 DNS server is svc:/network/dns/server. The FMRI for the DNS client is svc:/network/dns/client. - You can query the state of the BIND 9 DNS service by using svcs(1). For example: # svcs svc:network/dns/server:default STATE STIME FMRI online 16:24:04 svc:/network/dns/server:default The upgrade to Solaris 10 will detect an existing /etc/named.conf file and enable the BIND 9 service to startup after the upgrade is completed and the system is rebooted. To start the BIND 9 DNS service on a Solaris 10 system: a. Create/Copy a valid /etc/named.conf file. b. Verify that the SUNWbind and SUNWbindr packages, including any required packages are installed correctly. c. Enable the default service instance using svcadm(1M). For example: # svcadm enable svc:network/dns/server:default While it is recommended that you use svcadm(1M) to administer the server, you can use rndc(1M) as well. SMF is aware of the state change of the BIND 9 named service, whether administered by using svcadm(1M) or rndc(1M). NOTE: smf(5) will not be aware of the BIND 9 named(1M) service if the service is manually executed from the command line. NOTE: rndc(1M) is not able to stop the service when used in a chroot(2) environment under smf(1M) control. 8.1 Name Server SMF Properties Relevant named(1M) options for use with smf(1) may be applied using service application properties: - options/configuration_file Specifies the configuration file to be used instead of the default /etc/named.conf. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible directory option in the configuration file, the configuration file should be an absolute pathname. The configuration pathname should not include the chroot_dir pathname. This property is synonymous to the -c option. - options/ip_interfaces specifies which IP transport BIND will transmit on. Possible values are 'IPv4' or 'IPv6'. Any other setting assumes 'all', the default. This property is synonymous to command line option '-4' or '-6' - options/listen_on_port Specifies the default UDP and TCP port which will be used to listen for DNS requests. This property is synonymous to command line option '-p port'. - options/debug_level Specifies the default debug level. The default is 0; no debugging. The Higher the number the more verbose debug information becomes. Synonymous to command line option '-d debug-level'. - options/threads Specifies the number of cpu worker threads to create. The default of 0 causes named to try and determine the number of CPUs present and create one thread per CPU. Synonymous to command line option '-n #cpus'. - options/chroot_dir Specifies the directory to be used as the root directory after processing SMF properties and the command line arguments but before reading the configuration file. Use this property when using a chroot(2) environment. Synonymous to command line option '-t '. When using chroot(2) named is unable to disable its self when receiving rndc(1M) stop or halt commands and you must instead use the svcadm(1M) disable command. - options/server Specifies an alternative execution path. If unset then the default server /usr/sbin/named is assumed. The following examples show how the application properties may be used: Example 1: Configuring named(1m) in future to only transmit over IPv4 networks: # svccfg -s svc:network/dns/server:default setprop \ options/ip_interfaces=IPv4 # svcadm refresh svc:network/dns/server:default # scvadm restart svc:network/dns/server:default Example 2: List current configuration file and change to an alternative file: # svcprop -p options/configuration_file dns/server:default "" # svccfg -s dns/server:default setprop \ options/configuration_file=/var/named/named.conf # svcadm refresh dns/server:default # svcprop -p options/configuration_file dns/server:default /var/named/named.conf # scvadm restart svc:network/dns/server:default The dns/server smf_method(5) script converts the application properties to the relevant command line option. Changing the "start method" property of the BIND 9 service is no longer recommended as was stated here previously. For more information about the Service Management Facility, refer to "Managing Services (Overview)" in System Administration Guide: Basic Administration, available on http://docs.sun.com. Also refer to smf(5), svcs(1), svcadm(1M), svccfg(1M) man pages and the BIND 9 name service manifest server.xml in /lib/svc/manifest/network/dns. ************************************* APPENDICES I-III Appendix I. Implementing rndc ----------------- The BIND 8 ndc(1M) and BIND 9 rndc(1M) name server control tools are NOT backward compatible: rndc can't talk to the BIND 8 name server and ndc can't talk to the BIND 9 name server. Features, options, default modes of operation, and configuration file requirements have changed. Ia. The rndc.conf Configuration File -------------------------------- The most significant difference between ndc in BIND 8 and rndc in BIND 9 is that rndc needs its own configuration file, rndc.conf. This file can be generated by rndc-confgen(1M) commands. The rndc.conf file specifies which server controls and what algorithm the server should use. Note that the /etc/rndc.conf and matching /etc/named.conf information is only needed when using rndc to manage a remote BIND 9 name server. If rndc is only used to manage a local BIND 9 name server, the /etc/rndc.key is sufficient. Sample rndc.conf File --------------------- options { default-server localhost; default-key "rndc-key"; }; key "rndc-key" { algorithm hmac-md5; secret "qPWZ3Ndl81aBRY9AmJhVtU=="; }; Sample named.conf File Entry for rndc ------------------------------------- controls { inet * allow { any; } keys { "rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "qPWZ3Ndl81aBRY9AmJhVtU=="; }; Ib. Differences in the Control Channels ----------------------------------- Both the ndc(1M) and the rndc(1M) utilities use a control channel to send commands to and retrieve information from a name server. However, there are differences between the utilities. * In BIND 8, ndc can use AF_UNIX domain sockets (UNIX control channel) or TCP/IP sockets (inet control channel). By default, ndc does not need any support in /etc/named.conf, because BIND 8 servers use a UNIX domain socket with a path (/var/run/ndc.d/ndc) compiled into in.named. In BIND 9, rndc uses an authenticated TCP/IP inet control channel, by default and is not backward compatible with BIND 8. * When using rndc, you need to specify a 'key' clause to communicate with the name server. It is mandatory that the BIND 9 server and the rndc client share the same key. Using the BIND 8 controls entry in BIND 9 will result in an error message. * Some command options have changed from the ndc to the rndc implementation. This includes the "-c" option, which has a different syntax in BIND 9. Therefore, to specify the control channel in BIND 9, use "rndc -s -p ". Ic. Commands of BIND 9.3 rndc --------------------------- reload Reload configuration file and zones. reload zone [class [view]] Reload a single zone. refresh zone [class [view]] Schedule immediate maintenance for a zone. retransfer zone [class [view]] Retransfer a single zone without checking serial number. freeze zone [class [view]]** Suspend updates to a dynamic zone. thaw zone [class [view]]** Enable updates to a frozen dynamic zone and reload it. reconfig Reload configuration file and new zones only. stats Write server statistics to the statistics file. querylog Toggle query logging. dumpdb [-all|-cache|-zones] [view ...]** Dump cache(s) to the dump file (named_dump.db). stop [-p]** Save pending updates to master files and stop the server; report process number if -p provided. halt [-p]** Stop the server without saving pending updates; report process number if -p provided trace Increment debugging level by one. trace level Change the debugging level. notrace Set debugging level to 0. flush Flushes all of the server's caches. flush [view] Flushes the server's cache for a view. status Display status of the server. recursing** Dump the queries that are currently recursing (named.recursing) restart* Restart the server. * = not yet implemented ** = New command or option in bind 9.3. Appendix II BIND 9 Commands, Files, Tools, and Options ------------------------------------------ IIa. Comparison of BIND 8 and BIND 9 Commands and Files -------------------------------------------------- The table below compares BIND 8 and BIND 9 commands and configuration files. BIND 9 man pages install in /usr/man. ------------------------------------------------- | BIND 8 Command | BIND 9.3 replacement | ------------------------------------------------- | dnskeygen(1M) | dnssec-keygen(1M) | | ndc(1M) | rndc(1M) | | named-bootconf(1M) | NONE NEEDED | | nsupdate(1M) | nsupdate(1M) | | nslookup(1M) | nslookup(1M) | | named-xfer(1M) | NONE NEEDED | | in.named(1M) | named(1M) | | named.conf(4) | named.conf* | | dig(1M) | dig(1M) | ------------------------------------------------- * A detailed named.conf man page was not included with BIND 9 originally. Appendix III includes a summary of the named.conf options that are supported in BIND 9.3.x at this time. IIb. BIND 9 Tools and Configuration Files ------------------------------------ The following BIND 9.3 tools are available in the SUNWbind package and installed in /usr/sbin: named nsupdate rndc dnssec-keygen nslookup dig dnssec-signzone named-checkconf named-checkzone rndc-confgen host The following BIND 9.3 configuration files are supported. /etc/rndc.conf IIc. Descriptions of Command and Option Changes from 8.x to 9.x ---------------------------------------------------------- Listed below are BIND 8 features/interfaces that are not supported in the equivalent BIND 9 binary. This is not intended to be an exhaustive list of the options, command line options or features for any BIND 9.x command. 1. in.named(1M): DNS Name server in.named command line options. In the BIND 9.3 name server, the "-g group_name", "-q", "-r" and "-w directory" options are not supported, and "-c config_file" replaces the BIND 8.x "-b config_file". See the named man page for further details. 2. dnssec-keygen: dnskeygen(1M) in BIND 8.x and dnssec-keygen from BIND 9.2.x and above, have no common options. See the dnssec-keygen man page or further details. 3. rndc(1M): See Appendix I in this document. 4. nsupdate(1M): in BIND 9.2.x and above, the syntax of the "-k" option changes in nsupdate. Instead of "-k keydir::keyname" the syntax is now "-k keyfile". The only other difference is that whereas a blank line was used to signal sending the input to the server, an explicit "send" sub-command is now used to do the same. See the nsupdate man page for further details. 5. nslookup(1M): the following options are unsupported in the BIND 9.2.x and above version. help, host server, set ignoretc, set noignoretc, set srch[list]=N1[/N2/.../N6], set ro[ot]=host, root, finger [USER], ls [opt] DOMAIN [> FILE]. 6. named.conf: several options are unsupported, not implemented or have changed defaults. For a list of the option changes and a summary of all named.conf options, see Appendix III. IId. Differences in BIND 9.3 from BIND 9.2 ------------------------------------- BIND 9.3 provides several changes from BIND 9.2, including but not limited to: 1. DNSSEC tools provided by BIND 9.2.4 are not compatible with BIND 9.3.4 and are replaced where applicable. Specifically, DNSSEC-bis functionality removes the need for dnssec-signkey(1M) and dnssec-makekeyset(1M); dnssec-keygen(1M) and dnssec-signzone(1M) now provide alternative functionality. 2. dig(1M) and nslookup(1M) now report "Not Implemented" as NOTIMP rather than NOTIMPL. This will have impact on scripts that are looking for NOTIMPL. 3. named(1M): BIND server process includes new command line options to overcome certain operating environment issues; CR 6320428. These options are: * '-4' specifies to only send queries on IPv4 interfaces * '-6' specifies to only send queries on IPv6 interfaces. named(1M) by default will reject master zone files where hostnames or mail domain names have invalid syntax or characters. The rules for legal hostnames / mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123. * Corrective action should be to change the host names with illegal syntax or characters, such as underscore (_) characters. Use "named-checkconf -z /etc/named.conf" to check validity of the named configuration file and any zone files referenced by it. To aid migration the default functionality may be overridden using the check-names option of named.conf. For example to allow zones with name failures to load but log warning messages (as is the default for slave (secondary) zones) modify or add an option statement to named.conf: options { check-names master warn; }; named(1M) no longer provides the following functionality: * Inverse IPv6 queries to the obsolete ip6.int domain. The ip6.arpa domain is obsoleted by the ip6.int domain. See RFC 3596. * IPv6 does not forward A6 lookups, deprecated by RFC 3363 * IPv6 "bitstring" not supported, primary will refuse to load zone files with binary labels. Deprecated by rfc3363. * Zones containing MD (Mail Destination) and MF (Mail Forwarder) will now be rejected. The MD and MF resource record (RR) types were originally introduced in RFC 882 and subsequently obsoleted in RFC 1035 by the MX RR. 4. named.conf: Has additional options: * allow-update-forwarding * alt-transfer-source * alt-transfer-source-v6 * avoid-v4-udp-ports * avoid-v6-udp-ports * check-names: Validate names in zones (from BIND 8). * disable-algorithms * dnssec-enable * dnssec-lookaside * dnssec-must-be-secure * dual-stack-servers: provides IPv4/IPv6 transition support. * edns-udp-size: Set advertised EDNS UDP size. * flush-zones-on-shutdown * hostname (chaos)' * ixfr-from-differences: use IXFR deltas when loading master files. * masters: define masters for a zone. * max-journal-size: specify the size of a journal * multi-master * querylog * server-id (chaos) * Server statement grammar includes: * transfer-source * transfer-source-v6 * tcp-listen-queue * use-alt-transfer-source * zone statement grammar: * multi-master * key-directory named.conf removed options: * allow-v6-synthesis: Obsolete. Caused named to translate ip6.int requests to ip6.arpa requests. As the ip6.int domain is now obsolete this option has been removed. * zone-statistics has been removed from the 'view' statement. 5. dig(1M) has new command line options: -4: use IPv4 query transport only -6: use IPv6 query transport only +[no]aaflag: Set AA flag in query (+[no]aaflag) +[no]cl: Control display of class in records +[no]ttlid: Control display of ttls in records +tries=#: Set number of UDP attempts [3] +retry=#: Set number of UDP retries [2] 6. named.checkconf(1M) has new options: -z: Perform a check load of the master zone files found in named.conf. -j: When loading a zonefile read the journal if it exists. 7. named-checkzone(1M) has new options: -k mode: Perform "check-name" checks with the specified failure mode. -n mode: Check NS records are addresses, mode is warn, fail or ignore. -o filename: Write zone output to filename. -t directory: chroot to directory, useful for include statements. -w directory: chdir to directory, useful for include statements. -D: Dump zone file in canonical format. 8. rndc(1M) has several new subcommands including: freeze, thaw, flushname and recursing (see above). Several subcommands have new options namely stop, halt and dumpdb. 9. nsupdate(1M) generates SIG(0) signed messages. Appendix III The named.conf Options ---------------------- IIIa. Changes in the Options Section ------------------------------ The following list compares the named.conf options between BIND 8 and BIND 9. It also provides a brief description of the change. "OK" denotes the option works unchanged for the BIND 9 named. options { [ version version_string; ] OK [ directory path_name; ] OK [ named-xfer path_name; ] Obsolete (*1) [ dump-file path_name; ] OK [ memstatistics-file path_name; ] Not Implemented [ pid-file path_name; ] OK [ statistics-file path_name; ] OK [ auth-nxdomain yes_or_no; ] OK (*2) [ dialup yes_or_no; ] OK [ fake-iquery yes_or_no; ] Obsolete [ fetch-glue yes_or_no; ] Obsolete [ has-old-clients yes_or_no; ] Obsolete [ host-statistics yes_or_no; ] Not Implemented [ host-statistics-max number; ] Not Implemented [ multiple-cnames yes_or_no; ] Obsolete [ notify yes_or_no | explicit; ] OK [ recursion yes_or_no; ] OK [ rfc2308-type1 yes_or_no; ] Not Implemented [ use-id-pool yes_or_no; ] Obsolete [ treat-cr-as-space yes_or_no; ] Obsolete [ also-notify yes_or_no; ] Syntax Changed (*3) [ forward ( only | first ); ] OK (*4) [ forwarders { in_addr ; \ [ in_addr ; ... ] }; ] OK (*5) [ check-names ( master | slave | \ response ) ( warn | fail | ignore); ] OK (*8) [ allow-query { address_match_list }; ] OK [ allow-recursion { address_match_list }; ] OK [ allow-transfer { address_match_list }; ] OK [ blackhole { address_match_list }; ] OK [ listen-on [ port ip_port ] \ { address_match_list }; ] OK [ query-source [ address ( ip_addr | * ) ] \ [ port ( ip_port | * ) ] ; ] OK [ lame-ttl number; ] OK [ max-transfer-time-in number; ] OK [ max-ncache-ttl number; ] OK [ min-roots number; ] Not Implemented [ transfer-format ( one-answer | \ many-answers ); ] OK (*6) [ transfers-in number; ] OK [ transfers-out number; ] OK [ transfers-per-ns number; ] OK [ transfer-source ip_addr; ] OK [ maintain-ixfr-base yes_or_no; ] Obsolete [ max-ixfr-log-size number; ] Obsolete (*7) [ coresize size_spec ; ] OK [ datasize size_spec ; ] OK [ files size_spec ; ] OK [ stacksize size_spec ; ] OK [ cleaning-interval number; ] OK [ heartbeat-interval number; ] OK [ interface-interval number; ] OK [ statistics-interval number; ] Not Implemented [ topology { address_match_list }; ] Not Implemented [ sortlist { address_match_list }; ] OK [ rrset-order { order_spec ; \ [ order_spec ; ... ] }; ] Not Implemented }; (*1) Obsolete due to architectural differences. (*2) Default set to yes in BIND 8, no in BIND 9. (*3) Needs an IP address for "yes". (*4) Doesn't work if no forwarder specified; Gives an error of "no matching 'forwarders' statement" in that case. (*5) See [ forward ] clause (*6) Default set to one-answer in BIND 8 and many-answers in BIND 9. (*7) No need for this option as BIND 9 trims the size of its log file automatically. (*8) Implemented in BIND 9.3.4 IIIb. Statements in BIND 9 -------------------- The Controls Statement ---------------------- Syntax controls { [ inet ip_addr port ip_port allow { address_match_list; }; ] OK [ unix path_name perm number owner number group number; ] Not Implemented }; Note: "unix" is the default for ndc(1M) and all of the arguments are compiled in. "inet" is the only option for rndc and nothing is compiled in. Logging syntax has changed significantly. See section IIIc for a list of named.conf options. The Zone Statement ------------------ The syntax for the zone statement in the BIND 8 named.conf man page is mostly supported for BIND 9 except for the following: [ pubkey number number number string; ] Obsolete The ACL Statement ----------------- Syntax acl name { address_match_list }; Works unchanged in BIND 9. The Key Statement ----------------- Syntax key key_id { algorithm algorithm_id; secret secret_string; }; Works unchanged in BIND 9. The Trusted-Keys Statement -------------------------- Syntax trusted-keys { [ domain_name flags protocol algorithm key; ] }; Works unchanged, however the code to use this statement has been turned off in BIND 9.2.4. The Server Statement -------------------- Syntax server ip_addr { [ bogus yes_or_no; ] [ transfers number; ] [ transfer-format ( one-answer | many-answers ); ] [ keys { key_id [ key_id ... ] }; ] [ edns yes_or_no; ] }; "support-ixfr" is obsolete, however all of the above options work unchanged in BIND 9. Note the default for transfer-format has changed. The Include Statement --------------------- Syntax include path_name; Works unchanged in BIND 9. IIIc. Summary of the named.conf Options --------------------------------- A detailed named.conf man page was not included with BIND 9 originally. Following is a summary of the named.conf options that are supported in BIND 9.3.6 acl string { address_match_element; ... }; key domain_name { algorithm string; secret string; }; masters string [ port integer ] { ( masters | ipv4_address [port integer] | ipv6_address [port integer] ) [ key string ]; ... }; server ( ipv4_address | ipv6_address ) { bogus boolean; edns boolean; provide-ixfr boolean; request-ixfr boolean; keys server_key; transfers integer; transfer-format ( many-answers | one-answer ); transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; support-ixfr boolean; // obsolete }; trusted-keys { domain_name flags protocol algorithm key; ... }; controls { inet ( ipv4_address | ipv6_address | * ) [ port ( integer | * ) ] allow { address_match_element; ... } [ keys { string; ... } ]; unix unsupported; // not implemented }; logging { channel string { file log_file; syslog optional_facility; null; stderr; severity log_severity; print-time boolean; print-severity boolean; print-category boolean; }; category string { string; ... }; }; options { avoid-v4-udp-ports { port; ... }; avoid-v6-udp-ports { port; ... }; blackhole { address_match_element; ... }; coresize size; datasize size; directory quoted_string; cache-file quoted_string; // test option dump-file quoted_string; files size; heartbeat-interval integer; host-statistics boolean; // not implemented host-statistics-max number; // not implemented hostname ( quoted_string | none ); interface-interval integer; listen-on [ port integer ] { address_match_element; ... }; listen-on-v6 [ port integer ] { address_match_element; ... }; match-mapped-addresses boolean; memstatistics-file quoted_string; pid-file ( quoted_string | none ); port integer; querylog boolean; recursing-file quoted_string; reserved-sockets integer; random-device quoted_string; recursive-clients integer; serial-query-rate integer; server-id ( quoted_string | none ); stacksize size; statistics-file quoted_string; statistics-interval integer; // not yet implemented tcp-clients integer; tcp-listen-queue integer; tkey-dhkey quoted_string integer; tkey-gssapi-credential quoted_string; tkey-domain quoted_string; transfers-per-ns integer; transfers-in integer; transfers-out integer; use-ixfr boolean; version ( quoted_string | none ); allow-recursion { address_match_element; ... }; sortlist { address_match_element; ... }; topology { address_match_element; ... }; // not implemented auth-nxdomain boolean; // default changed minimal-responses boolean; recursion boolean; rrset-order { [ class string ] [ type string ] [ name quoted_string ] string string; ... }; provide-ixfr boolean; request-ixfr boolean; rfc2308-type1 boolean; // not yet implemented additional-from-auth boolean; additional-from-cache boolean; query-source [ address ( ipv4_address | * ) ] [ port ( integer | * ) ]; query-source-v6 [ address ( ipv6_address | * ) ] [ port ( integer | * ) ]; cleaning-interval integer; min-roots integer; // not implemented lame-ttl integer; max-ncache-ttl integer; max-cache-ttl integer; transfer-format ( many-answers | one-answer ); max-cache-size size_no_default; check-names ( master | slave | response ) ( fail | warn | ignore ); cache-file quoted_string; suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers [ port integer ] { ( quoted_string [port integer] | ipv4_address [port integer] | ipv6_address [port integer] ); ... } edns-udp-size integer; root-delegation-only [ exclude { quoted_string; ... } ]; disable-algorithms string { string; ... }; dnssec-enable boolean; dnssec-lookaside string trust-anchor string; dnssec-must-be-secure string boolean; dialup dialuptype; ixfr-from-differences ixfrdiff; allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; key-directory quoted_string; allow-v6-synthesis { address_match_element; ... }; // obsolete deallocate-on-exit boolean; // obsolete fake-iquery boolean; // obsolete fetch-glue boolean; // obsolete has-old-clients boolean; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete multiple-cnames boolean; // obsolete named-xfer quoted_string; // obsolete serial-queries integer; // obsolete treat-cr-as-space boolean; // obsolete use-id-pool boolean; // obsolete }; view string optional_class { match-clients { address_match_element; ... }; match-destinations { address_match_element; ... }; match-recursive-only boolean; key string { algorithm string; secret string; }; zone string optional_class { ... }; server ( ipv4_address | ipv6_address ) { ... }; trusted-keys { string integer integer integer quoted_string; ... }; allow-recursion { address_match_element; ... }; sortlist { address_match_element; ... }; topology { address_match_element; ... }; // not implemented auth-nxdomain boolean; // default changed minimal-responses boolean; recursion boolean; rrset-order { [ class string ] [ type string ] [ name quoted_string ] string string; ... }; provide-ixfr boolean; request-ixfr boolean; rfc2308-type1 boolean; // not yet implemented additional-from-auth boolean; additional-from-cache boolean; query-source [ address ( ipv4_address | * ) ] [ port ( integer | * ) ]; query-source-v6 [ address ( ipv6_address | * ) ] [ port ( integer | * ) ]; cleaning-interval integer; min-roots integer; // not implemented lame-ttl integer; max-ncache-ttl integer; max-cache-ttl integer; transfer-format ( many-answers | one-answer ); max-cache-size size_no_default; check-names ( master | slave | response ) ( fail | warn | ignore ); cache-file quoted_string; suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers [ port integer ] { ( quoted_string [port integer] | ipv4_address [port integer] | ipv6_address [port integer] ); ... }; edns-udp-size integer; root-delegation-only [ exclude { quoted_string; ... } ]; disable-algorithms string { string; ... }; dnssec-enable boolean; dnssec-lookaside string trust-anchor string; dnssec-must-be-secure string boolean; dialup dialuptype; ixfr-from-differences ixfrdiff; allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; key-directory quoted_string; allow-v6-synthesis { address_match_element; ... }; // obsolete fetch-glue boolean; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete }; zone string optional_class { type ( master | slave | stub | hint | forward | delegation-only ); file quoted_string; masters [ port integer ] { ( masters | ipv4_address [port integer] | ipv6_address [ port integer ] ) [ key string ]; ... }; database string; delegation-only boolean; check-names ( fail | warn | ignore ); dialup dialuptype; ixfr-from-differences boolean; allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; update-policy { ( grant | deny ) string ( name | subdomain | wildcard | self ) string rrtypelist; ... }; notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; key-directory quoted_string; ixfr-base quoted_string; // obsolete ixfr-tmp-file quoted_string; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete pubkey integer integer integer quoted_string; // obsolete };