Table of Contents
This document summarizes changes since the last production release of BIND on the corresponding major release branch.
The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.
A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50).
The recursion depth limit is configured via the
max-recursion-depth option, and the query limit
The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580]
Two separate problems were identified in BIND's GeoIP code that
could lead to an assertion failure. One was triggered by use of
both IPv4 and IPv6 address families, the other by referencing
a GeoIP database in
named.conf which was
not installed. Both are covered by CVE-2014-8680. [RT #37672]
A less serious security flaw was also found in GeoIP: changes
to the geoip-directory option in
named.conf were ignored when running
rndc reconfig. In theory, this could allow
named to allow access to unintended clients.
ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";).
When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.)
NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently.
Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems.
Added support for OPENPGPKEY type.
When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category.
If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked.
dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892]
The error message generated when
named-checkconf -z encounters a
$TTL directive without a value has
been clarified. [RT #37138]
Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159]
When files opened for writing by named,
such as zone journal files, were referenced more than once
named.conf, it could lead to file
corruption as multiple threads wrote to the same file. This
is now detected when loading
and reported as an error. [RT #37172]
dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183]
UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233]
Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216]
When checking for updates to trust anchors listed in
now revalidates keys based on the current set of
active trust anchors, without relying on any cached
record of previous validation. [RT #37506]
Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187]
When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN.
When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796]
Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965]
A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE.
Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time.
The end of life for BIND 9.10 is yet to be determined but will not be before BIND 9.12.0 has been released for 6 months. https://www.isc.org/downloads/software-support-policy/
Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.
Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and 883. From 1984 to 1987, the ARPAnet (the precursor to today's Internet) became a testbed of experimentation for developing the new naming/addressing scheme in a rapidly expanding, operational network environment. New RFCs were written and published in 1987 that modified the original documents to incorporate improvements based on the working model. RFC 1034, "Domain Names-Concepts and Facilities", and RFC 1035, "Domain Names-Implementation and Specification" were published and became the standards upon which all DNS implementations are built.
The first working domain name server, called "Jeeves", was written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20 machines located at the University of Southern California's Information Sciences Institute (USC-ISI) and SRI International's Network Information Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet Name Domain (BIND) package, was written soon after by a group of graduate students at the University of California at Berkeley under a grant from the US Defense Advanced Research Projects Administration (DARPA).
Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark Painter, David Riggle and Songnian Zhou made up the initial BIND project team. After that, additional work on the software package was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation employee on loan to the CSRG, worked on BIND for 2 years, from 1985 to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently handled by Mike Karels and Øivind Kure.
BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then a DEC employee, became BIND's primary caretaker. He was assisted by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others.
In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer.
BIND versions from 4.9.3 onward have been developed and maintained by the Internet Systems Consortium and its predecessor, the Internet Software Consortium, with support being provided by ISC's sponsors.
As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997.
BIND version 9 was released in September 2000 and is a major rewrite of nearly all aspects of the underlying BIND architecture.
BIND versions 4 and 8 are officially deprecated. No additional development is done on BIND version 4 or BIND version 8.
BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals.
IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces which were introduced in the DNS to facilitate scalable Internet routing. There are three types of addresses: Unicast, an identifier for a single interface; Anycast, an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global Unicast address scheme. For more information, see RFC 3587, "Global Unicast Address Format."
IPv6 unicast addresses consist of a global routing prefix, a subnet identifier, and an interface identifier.
The global routing prefix is provided by the upstream provider or ISP, and (roughly) corresponds to the IPv4 network section of the address range. The subnet identifier is for local subnetting, much the same as subnetting an IPv4 /16 network into /24 subnets. The interface identifier is the address of an individual interface on a given network; in IPv6, addresses belong to interfaces rather than to machines.
The subnetting capability of IPv6 is much more flexible than that of IPv4: subnetting can be carried out on bit boundaries, in much the same way as Classless InterDomain Routing (CIDR), and the DNS PTR representation ("nibble" format) makes setting up reverse zones easier.
The Interface Identifier must be unique on the local link, and is usually generated automatically by the IPv6 implementation, although it is usually possible to override the default setting if necessary. A typical IPv6 address might look like: 2001:db8:201:9:a00:20ff:fe81:2b32
IPv6 address specifications often contain long strings of zeros, so the architects have included a shorthand for specifying them. The double colon (`::') indicates the longest possible string of zeros that can fit, and can be used only once in an address.
Specification documents for the Internet protocol suite, including the DNS, are published as part of the Request for Comments (RFCs) series of technical notes. The standards themselves are defined by the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
the number of the RFC). RFCs are also available via the Web at:
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
Note: the following list of RFCs, although DNS-related, are not concerned with implementing software.
Most of these have been consolidated into RFC4033, RFC4034 and RFC4035 which collectively describe DNSSECbis.
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs in the preliminary stages of development. Implementors are cautioned not to regard IDs as archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are "works in progress." IDs have a lifespan of six months after which they are deleted unless updated by their authors.
This version of BIND 9 "exports" its internal libraries so that they can be used by third-party applications more easily (we call them "export" libraries in this document). In addition to all major DNS-related APIs BIND 9 is currently using, the export libraries provide the following features:
The newly created "DNS client" module. This is a higher level API that provides an interface to name resolution, single DNS transaction with a particular server, and dynamic update. Regarding name resolution, it supports advanced features such as DNSSEC validation and caching. This module supports both synchronous and asynchronous mode.
The new "IRS" (Information Retrieval System) library. It provides an interface to parse the traditional resolv.conf file and more advanced, DNS-specific configuration file for the rest of this package (see the description for the dns.conf file below).
As part of the IRS library, newly implemented standard address-name mapping functions, getaddrinfo() and getnameinfo(), are provided. They use the DNSSEC-aware validating resolver backend, and could use other advanced features of the BIND 9 libraries such as caching. The getaddrinfo() function resolves both A and AAAA RRs concurrently (when the address family is unspecified).
An experimental framework to support other event libraries than BIND 9's internal event task system.
GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that in some platforms you may need to invoke a different command name than "make" (e.g. "gmake") to indicate it's GNU make.
This will create (in addition to usual BIND 9 programs) and a
separate set of libraries under the lib/export directory. For
lib/export/dns/libdns.a is the archive file of the
export version of the BIND 9 DNS library. Sample application
programs using the libraries will also be built under the
lib/export/samples directory (see below).
This will install library object files under the directory specified by the --with-export-libdir configure option (default: EPREFIX/lib/bind9), and header files under the directory specified by the --with-export-includedir configure option (default: PREFIX/include/bind9). Root privilege is normally required. "make install" at the top directory will do the same.
To see how to build your own
application after the installation, see
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as before).
The "fixed" RRset order is not (currently) supported in the export library. If you want to use "fixed" RRset order for, e.g. named while still building the export library even without the fixed order support, build them separately:
[other flags, but not --enable-exportlib]
[other flags, but not --enable-fixed-rrset]
The client module and the IRS library currently do not support DNSSEC validation using DLV (the underlying modules can handle it, but there is no tunable interface to enable the feature).
RFC 5011 is not supported in the validating stub resolver of the export library. In fact, it is not clear whether it should: trust anchors would be a system-wide configuration which would be managed by an administrator, while the stub resolver will be used by ordinary applications run by a normal user.
Not all common
options are supported
in the IRS library. The only available options in this
version are "debug" and "ndots".
The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
Specifically, it is intended to provide DNSSEC related
configuration parameters. By default the path to this
configuration file is
This module is very
experimental and the configuration syntax or library interfaces
may change in future versions. Currently, only the
statement is supported, whose syntax is the same as the same name
of statement for
the section called “trusted-keys Statement Grammar” for details.)
Some sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of RRs. It can also act as a validating stub resolver if a trust anchor is given via a set of command line options.
Usage: sample [options] server_address hostname
Options and Arguments:
specify the RR type of the query. The default is the A RR.
specify a command-line DNS key to validate the answer. For example, to specify the following DNSKEY of example.com:
example.com. 3600 IN DNSKEY 257 3 5 xxx
specify the options as follows:
-e -k example.com -K "xxx"
-e means that this key is a zone's "key signing key" (as known as "secure Entry point"). When -a is omitted rsasha1 will be used by default.
specify a separate recursive server address for the specific "domain". Example: -s example.com:2001:db8::1234
an IP(v4/v6) address of the recursive server to which queries are sent.
the domain name for the query
Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names asynchronously.
Usage: sample-async [-s server_address] [-t RR_type] input_file
Options and Arguments:
It sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a "stub resolver": it stops the processing once it gets any response from the server, whether it's a referral or an alias (CNAME or DNAME) that would require further queries to get the ultimate answer. In other words, this utility acts as a very simplified dig.
Usage: sample-request [-t RRtype] server_address hostname
Options and Arguments:
specify the RR type of the queries. The default is the A RR.
an IP(v4/v6) address of the recursive server to which the query is sent.
the domain name for the query
This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a host name as an argument, calls getaddrinfo() with the given host name, and calls getnameinfo() with the resulting IP addresses returned by getaddrinfo(). If the dns.conf file exists and defines a trust anchor, the underlying resolver will act as a validating resolver, and getaddrinfo()/getnameinfo() will fail with an EAI_INSECUREDATA error when DNSSEC validation fails.
Usage: sample-gai hostname
It accepts a single update command as a command-line argument, sends an update request message to the authoritative server, and shows the response from the server. In other words, this is a simplified nsupdate.
Usage: sample-update [options] (add|delete) "update data"
Options and Arguments:
An IP address of the authoritative server that has authority for the zone containing the update name. This should normally be the primary authoritative server that accepts dynamic updates. It can also be a secondary server that is configured to forward update requests to the primary server.
A TSIG key file to secure the update transaction. The keyfile format is the same as that for the nsupdate utility.
A prerequisite for the update (only one prerequisite can be specified). The prerequisite format is the same as that is accepted by the nsupdate utility.
An IP address of a recursive server that this utility will use. A recursive server may be necessary to identify the authoritative server address to which the update request is sent.
The domain name of the zone that contains
Specify the type of update operation. Either "add" or "delete" must be specified.
Specify the data to be updated. A typical example of the data would look like "name TTL RRtype RDATA".
Examples: assuming the primary authoritative server of the dynamic.example.com zone has an IPv6 address 2001:db8::1234,
sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"
adds an A RR for foo.dynamic.example.com using the given key.
sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"
removes all A RRs for foo.dynamic.example.com using the given key.
sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"
removes all RRs for foo.dynamic.example.com using the given key.
It checks a set of domains to see the name servers of the domains behave correctly in terms of RFC 4074. This is included in the set of sample programs to show how the export library can be used in a DNS-related application.
Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
run in the "debug" mode. with this option nsprobe will dump every RRs it receives.
increase verbosity of other normal log messages. This can be specified multiple times
specify an IP address of a recursive (caching) name server. nsprobe uses this server to get the NS RRset of each domain and the A and/or AAAA RRsets for the name servers. The default value is 127.0.0.1.
a file name containing a list of domain (zone) names to be probed. when omitted the standard input will be used. Each line of the input file specifies a single domain name such as "example.com". In general this domain name must be the apex name of some DNS zone (unlike normal "host names" such as "www.example.com"). nsprobe first identifies the NS RRsets for the given domain name, and sends A and AAAA queries to these servers for some "widely used" names under the zone; specifically, adding "www" and "ftp" to the zone name.