head	1.5;
access;
symbols
	RELENG_8_4:1.5.0.2
	RELENG_9_1_0_RELEASE:1.4.2.1
	RELENG_9_1:1.4.2.1.0.2
	RELENG_9_1_BP:1.4.2.1
	RELENG_8_3_0_RELEASE:1.3.2.1
	RELENG_8_3:1.3.2.1.0.2
	RELENG_8_3_BP:1.3.2.1
	RELENG_9_0_0_RELEASE:1.4
	RELENG_9_0:1.4.0.4
	RELENG_9_0_BP:1.4
	RELENG_9:1.4.0.2
	RELENG_9_BP:1.4
	RELENG_7_4_0_RELEASE:1.1.1.3.2.2
	RELENG_8_2_0_RELEASE:1.3
	RELENG_7_4:1.1.1.3.2.2.0.6
	RELENG_7_4_BP:1.1.1.3.2.2
	RELENG_8_2:1.3.0.8
	RELENG_8_2_BP:1.3
	RELENG_8_1_0_RELEASE:1.3
	RELENG_8_1:1.3.0.6
	RELENG_8_1_BP:1.3
	RELENG_7_3_0_RELEASE:1.1.1.3.2.2
	RELENG_7_3:1.1.1.3.2.2.0.4
	RELENG_7_3_BP:1.1.1.3.2.2
	RELENG_8_0_0_RELEASE:1.3
	RELENG_8_0:1.3.0.4
	RELENG_8_0_BP:1.3
	RELENG_8:1.3.0.2
	RELENG_8_BP:1.3
	RELENG_7_2_0_RELEASE:1.1.1.3.2.2
	RELENG_7_2:1.1.1.3.2.2.0.2
	RELENG_7_2_BP:1.1.1.3.2.2
	RELENG_7_1_0_RELEASE:1.1.1.3.2.1
	RELENG_6_4_0_RELEASE:1.1.1.2.2.1
	RELENG_7_1:1.1.1.3.2.1.0.4
	RELENG_7_1_BP:1.1.1.3.2.1
	RELENG_6_4:1.1.1.2.2.1.0.2
	RELENG_6_4_BP:1.1.1.2.2.1
	RELENG_7_0_0_RELEASE:1.1.1.3.2.1
	RELENG_6_3_0_RELEASE:1.1.1.2
	RELENG_7_0:1.1.1.3.2.1.0.2
	RELENG_7_0_BP:1.1.1.3.2.1
	BIND_9_4_2:1.1.1.4
	RELENG_6_3:1.1.1.2.0.10
	RELENG_6_3_BP:1.1.1.2
	RELENG_7:1.1.1.3.0.2
	RELENG_7_BP:1.1.1.3
	BIND_9_4_1_P1:1.1.1.3
	BIND_9_4_1:1.1.1.3
	BIND_9_3_4:1.1.1.2
	RELENG_6_2_0_RELEASE:1.1.1.2
	BIND_9_3_3:1.1.1.2
	RELENG_6_2:1.1.1.2.0.8
	RELENG_6_2_BP:1.1.1.2
	RELENG_5_5_0_RELEASE:1.1.1.1.2.2
	RELENG_5_5:1.1.1.1.2.2.0.4
	RELENG_5_5_BP:1.1.1.1.2.2
	RELENG_6_1_0_RELEASE:1.1.1.2
	RELENG_6_1:1.1.1.2.0.6
	RELENG_6_1_BP:1.1.1.2
	BIND_9_3_2:1.1.1.2
	RELENG_6_0_0_RELEASE:1.1.1.2
	RELENG_6_0:1.1.1.2.0.4
	RELENG_6_0_BP:1.1.1.2
	RELENG_6:1.1.1.2.0.2
	RELENG_6_BP:1.1.1.2
	RELENG_5_4_0_RELEASE:1.1.1.1.2.2
	RELENG_5_4:1.1.1.1.2.2.0.2
	RELENG_5_4_BP:1.1.1.1.2.2
	BIND_9_3_1:1.1.1.2
	RELENG_5_3_0_RELEASE:1.1.1.1.2.1
	RELENG_5_3:1.1.1.1.2.1.0.2
	RELENG_5_3_BP:1.1.1.1.2.1
	RELENG_5:1.1.1.1.0.2
	BIND_9_3_0:1.1.1.1
	BIND_9_3_0_RC4:1.1.1.1
	ISC:1.1.1;
locks; strict;
comment	@# @;


1.5
date	2012.04.05.04.29.35;	author dougb;	state Exp;
branches
	1.5.2.1;
next	1.4;

1.4
date	2011.05.28.00.21.28;	author dougb;	state Exp;
branches
	1.4.2.1;
next	1.3;

1.3
date	2009.05.31.05.42.58;	author dougb;	state Exp;
branches
	1.3.2.1;
next	1.2;

1.2
date	2008.12.23.22.47.56;	author dougb;	state Exp;
branches;
next	1.1;

1.1
date	2004.09.19.01.30.08;	author trhodes;	state Exp;
branches
	1.1.1.1;
next	;

1.5.2.1
date	2012.04.05.04.29.35;	author svnexp;	state dead;
branches;
next	1.5.2.2;

1.5.2.2
date	2013.03.28.13.00.21;	author svnexp;	state Exp;
branches;
next	;

1.4.2.1
date	2012.04.08.01.43.41;	author dougb;	state Exp;
branches;
next	;

1.3.2.1
date	2011.05.28.00.33.06;	author dougb;	state Exp;
branches;
next	1.3.2.2;

1.3.2.2
date	2012.04.05.04.31.17;	author dougb;	state Exp;
branches;
next	;

1.1.1.1
date	2004.09.19.01.30.08;	author trhodes;	state Exp;
branches
	1.1.1.1.2.1;
next	1.1.1.2;

1.1.1.2
date	2005.03.17.08.02.46;	author dougb;	state Exp;
branches
	1.1.1.2.2.1;
next	1.1.1.3;

1.1.1.3
date	2007.06.02.23.21.18;	author dougb;	state Exp;
branches
	1.1.1.3.2.1;
next	1.1.1.4;

1.1.1.4
date	2007.12.02.19.10.22;	author dougb;	state Exp;
branches;
next	;

1.1.1.1.2.1
date	2004.09.26.03.09.39;	author des;	state Exp;
branches;
next	1.1.1.1.2.2;

1.1.1.1.2.2
date	2005.03.23.18.16.26;	author dougb;	state Exp;
branches;
next	;

1.1.1.2.2.1
date	2008.06.03.05.38.10;	author dougb;	state Exp;
branches;
next	;

1.1.1.3.2.1
date	2007.12.07.08.31.11;	author dougb;	state Exp;
branches;
next	1.1.1.3.2.2;

1.1.1.3.2.2
date	2009.01.10.03.00.21;	author dougb;	state Exp;
branches;
next	1.1.1.3.2.3;

1.1.1.3.2.3
date	2011.05.28.00.58.19;	author dougb;	state Exp;
branches;
next	;


desc
@@


1.5
log
@SVN rev 233914 on 2012-04-05 04:29:35Z by dougb

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
@
text
@Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

                   BIND 8 to BIND 9 Migration Notes

BIND 9 is designed to be mostly upwards compatible with BIND 8, but
there is still a number of caveats you should be aware of when
upgrading an existing BIND 8 installation to use BIND 9.


1. Configuration File Compatibility

1.1. Unimplemented Options and Changed Defaults

BIND 9 supports most, but not all of the named.conf options of BIND 8.
For a complete list of implemented options, see doc/misc/options.

If your named.conf file uses an unimplemented option, named will log a
warning message.  A message is also logged about each option whose
default has changed unless the option is set explicitly in named.conf.

The default of the "transfer-format" option has changed from
"one-answer" to "many-answers".  If you have slave servers that do not
understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
older) you need to explicitly specify "transfer-format one-answer;" in
either the options block or a server statement.

BIND 9.4 onwards implements "allow-query-cache".  The "allow-query"
option is no longer used to specify access to the cache.  The
"allow-query" option continues to specify which hosts are allowed
to ask ordinary DNS questions.  The new "allow-query-cache" option
is used to specify which hosts are allowed to get answers from the
cache. Since BIND 9.4.1, if "allow-query-cache" is not set then
"allow-recursion" is used if it is set, otherwise "allow-query" is
used if it is set, otherwise the default localnets and localhost
is used.

1.2. Handling of Configuration File Errors

In BIND 9, named refuses to start if it detects an error in
named.conf.  Earlier versions would start despite errors, causing the
server to run with a partial configuration.  Errors detected during
subsequent reloads do not cause the server to exit.

Errors in master files do not cause the server to exit, but they
do cause the zone not to load.

1.3. Logging

The set of logging categories in BIND 9 is different from that
in BIND 8.  If you have customised your logging on a per-category
basis, you need to modify your logging statement to use the
new categories.

Another difference is that the "logging" statement only takes effect
after the entire named.conf file has been read.  This means that when
the server starts up, any messages about errors in the configuration
file are always logged to the default destination (syslog) when the
server first starts up, regardless of the contents of the "logging"
statement.  In BIND 8, the new logging configuration took effect
immediately after the "logging" statement was read.

1.4. Notify messages and Refresh queries

The source address and port for these is now controlled by
"notify-source" and "transfer-source", respectively, rather that
query-source as in BIND 8.

1.5. Multiple Classes.

Multiple classes have to be put into explicit views for each class.


2. Zone File Compatibility

2.1. Strict RFC1035 Interpretation of TTLs in Zone Files

BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
omitted TTLs in zone files.  Omitted TTLs are replaced by the value
specified with the $TTL directive, or by the previous explicit TTL if
there is no $TTL directive.

If there is no $TTL directive and the first RR in the file does not
have an explicit TTL field, the zone file is illegal according to
RFC1035 since the TTL of the first RR is undefined.  Unfortunately,
BIND 4 and many versions of BIND 8 accept such files without warning
and use the value of the SOA MINTTL field as a default for missing TTL
values.

BIND 9.0 and 9.1 completely refused to load such files.  BIND 9.2
emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
files anyway (provided the SOA is the first record in the file), but
will issue the warning message "no TTL specified; using SOA MINTTL
instead".

To avoid problems, we recommend that you use a $TTL directive in each
zone file.

2.2. Periods in SOA Serial Numbers Deprecated

Some versions of BIND allow SOA serial numbers with an embedded
period, like "3.002", and convert them into integers in a rather
unintuitive way.  This feature is not supported by BIND 9; serial
numbers must be integers.

2.3. Handling of Unbalanced Quotes

TXT records with unbalanced quotes, like 'host TXT "foo', were not
treated as errors in some versions of BIND.  If your zone files
contain such records, you will get potentially confusing error
messages like "unexpected end of file" because BIND 9 will interpret
everything up to the next quote character as a literal string.

2.4. Handling of Line Breaks

Some versions of BIND accept RRs containing line breaks that are not
properly quoted with parentheses, like the following SOA:

	@@	IN SOA	ns.example. hostmaster.example.
			( 1 3600 1800 1814400 3600 )

This is not legal master file syntax and will be treated as an error
by BIND 9.  The fix is to move the opening parenthesis to the first
line.

2.5. Unimplemented BIND 8 Extensions

$GENERATE: The "$$" construct for getting a literal $ into a domain
name is deprecated.  Use \$ instead.

2.6. TXT records are no longer automatically split.

Some versions of BIND accepted strings in TXT RDATA consisting of more
than 255 characters and silently split them to be able to encode the
strings in a protocol conformant way. You may now see errors like this
        dns_rdata_fromtext: local.db:119: ran out of space
if you have TXT RRs with too longs strings. Make sure to split the
string in the zone data file at or before a single one reaches 255
characters.

3. Interoperability Impact of New Protocol Features

3.1. EDNS0

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
also sets DO EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses.

Most older servers that do not support EDNS0, including prior versions
of BIND, will send a FORMERR or NOTIMP response to these queries.
When this happens, BIND 9 will automatically retry the query without
EDNS0.

Unfortunately, there exists at least one non-BIND name server
implementation that silently ignores these queries instead of sending
an error response.  Resolving names in zones where all or most
authoritative servers use this server will be very slow or fail
completely.  We have contacted the manufacturer of the name server in
case, and they are working on a solution.

When BIND 9 communicates with a server that does support EDNS0, such as
another BIND 9 server, responses of up to 4096 bytes may be
transmitted as a single UDP datagram which is subject to fragmentation
at the IP level.  If a firewall incorrectly drops IP fragments, it can
cause resolution to slow down dramatically or fail.

3.2. Zone Transfers

Outgoing zone transfers now use the "many-answers" format by default.
This format is not understood by certain old versions of BIND 4.  
You can work around this problem using the option "transfer-format
one-answer;", but since these old versions all have known security
problems, the correct fix is to upgrade the slave servers.

Zone transfers to Windows 2000 DNS servers sometimes fail due to a
bug in the Windows 2000 DNS server where DNS messages larger than
16K are not handled properly.  Obtain the latest service pack for
Windows 2000 from Microsoft to address this issue.  In the meantime,
the problem can be worked around by setting "transfer-format one-answer;".
http://support.microsoft.com/default.aspx?scid=kb;en-us;297936

4. Unrestricted Character Set

		BIND 9.2 only

BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.

It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9 will not enforce this restriction.

Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause a
breach of security when containing unexpected characters; see
<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
for details.  Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses, under
the control of the "check-names" option in named.conf and/or "options
no-check-names" in resolv.conf.  BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
be upgraded.

	BIND 9.3 onwards implements check-names.

5. Server Administration Tools

5.1 Ndc Replaced by Rndc

The "ndc" program has been replaced by "rndc", which is capable of
remote operation.  Unlike ndc, rndc requires a configuration file.
The easiest way to generate a configuration file is to run
"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
and rndc.conf(5) for details.

5.2. Nsupdate Differences

The BIND 8 implementation of nsupdate had an undocumented feature
where an update request would be broken down into multiple requests
based upon the discovered zones that contained the records.  This
behaviour has not been implemented in BIND 9.  Each update request
must pertain to a single zone, but it is still possible to do multiple
updates in a single invocation of nsupdate by terminating each update
with an empty line or a "send" command.


6. No Information Leakage between Zones

BIND 9 stores the authoritative data for each zone in a separate data
structure, as recommended in RFC1035 and as required by DNSSEC and
IXFR.  When a BIND 9 server is authoritative for both a child zone and
its parent, it will have two distinct sets of NS records at the
delegation point: the authoritative NS records at the child's apex,
and a set of glue NS records in the parent.

BIND 8 was unable to properly distinguish between these two sets of NS
records and would "leak" the child's NS records into the parent,
effectively causing the parent zone to be silently modified: responses
and zone transfers from the parent contained the child's NS records
rather than the glue configured into the parent (if any).  In the case
of children of type "stub", this behaviour was documented as a feature,
allowing the glue NS records to be omitted from the parent
configuration.

Sites that were relying on this BIND 8 behaviour need to add any
omitted glue NS records, and any necessary glue A records, to the
parent zone.

Although stub zones can no longer be used as a mechanism for injecting
NS records into their parent zones, they are still useful as a way of
directing queries for a given domain to a particular set of name
servers.


7. Umask not Modified

The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
not; the umask inherited from the parent process remains in effect.
This may cause files created by named, such as journal files, to be
created with different file permissions than they did in BIND 8.  If
necessary, the umask should be set explicitly in the script used to
start the named process.


$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
@


1.5.2.1
log
@file migration was added on branch RELENG_8_4 on 2013-03-28 13:00:21 +0000
@
text
@d1 267
@


1.5.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 267
Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

                   BIND 8 to BIND 9 Migration Notes

BIND 9 is designed to be mostly upwards compatible with BIND 8, but
there is still a number of caveats you should be aware of when
upgrading an existing BIND 8 installation to use BIND 9.


1. Configuration File Compatibility

1.1. Unimplemented Options and Changed Defaults

BIND 9 supports most, but not all of the named.conf options of BIND 8.
For a complete list of implemented options, see doc/misc/options.

If your named.conf file uses an unimplemented option, named will log a
warning message.  A message is also logged about each option whose
default has changed unless the option is set explicitly in named.conf.

The default of the "transfer-format" option has changed from
"one-answer" to "many-answers".  If you have slave servers that do not
understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
older) you need to explicitly specify "transfer-format one-answer;" in
either the options block or a server statement.

BIND 9.4 onwards implements "allow-query-cache".  The "allow-query"
option is no longer used to specify access to the cache.  The
"allow-query" option continues to specify which hosts are allowed
to ask ordinary DNS questions.  The new "allow-query-cache" option
is used to specify which hosts are allowed to get answers from the
cache. Since BIND 9.4.1, if "allow-query-cache" is not set then
"allow-recursion" is used if it is set, otherwise "allow-query" is
used if it is set, otherwise the default localnets and localhost
is used.

1.2. Handling of Configuration File Errors

In BIND 9, named refuses to start if it detects an error in
named.conf.  Earlier versions would start despite errors, causing the
server to run with a partial configuration.  Errors detected during
subsequent reloads do not cause the server to exit.

Errors in master files do not cause the server to exit, but they
do cause the zone not to load.

1.3. Logging

The set of logging categories in BIND 9 is different from that
in BIND 8.  If you have customised your logging on a per-category
basis, you need to modify your logging statement to use the
new categories.

Another difference is that the "logging" statement only takes effect
after the entire named.conf file has been read.  This means that when
the server starts up, any messages about errors in the configuration
file are always logged to the default destination (syslog) when the
server first starts up, regardless of the contents of the "logging"
statement.  In BIND 8, the new logging configuration took effect
immediately after the "logging" statement was read.

1.4. Notify messages and Refresh queries

The source address and port for these is now controlled by
"notify-source" and "transfer-source", respectively, rather that
query-source as in BIND 8.

1.5. Multiple Classes.

Multiple classes have to be put into explicit views for each class.


2. Zone File Compatibility

2.1. Strict RFC1035 Interpretation of TTLs in Zone Files

BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
omitted TTLs in zone files.  Omitted TTLs are replaced by the value
specified with the $TTL directive, or by the previous explicit TTL if
there is no $TTL directive.

If there is no $TTL directive and the first RR in the file does not
have an explicit TTL field, the zone file is illegal according to
RFC1035 since the TTL of the first RR is undefined.  Unfortunately,
BIND 4 and many versions of BIND 8 accept such files without warning
and use the value of the SOA MINTTL field as a default for missing TTL
values.

BIND 9.0 and 9.1 completely refused to load such files.  BIND 9.2
emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
files anyway (provided the SOA is the first record in the file), but
will issue the warning message "no TTL specified; using SOA MINTTL
instead".

To avoid problems, we recommend that you use a $TTL directive in each
zone file.

2.2. Periods in SOA Serial Numbers Deprecated

Some versions of BIND allow SOA serial numbers with an embedded
period, like "3.002", and convert them into integers in a rather
unintuitive way.  This feature is not supported by BIND 9; serial
numbers must be integers.

2.3. Handling of Unbalanced Quotes

TXT records with unbalanced quotes, like 'host TXT "foo', were not
treated as errors in some versions of BIND.  If your zone files
contain such records, you will get potentially confusing error
messages like "unexpected end of file" because BIND 9 will interpret
everything up to the next quote character as a literal string.

2.4. Handling of Line Breaks

Some versions of BIND accept RRs containing line breaks that are not
properly quoted with parentheses, like the following SOA:

	@@	IN SOA	ns.example. hostmaster.example.
			( 1 3600 1800 1814400 3600 )

This is not legal master file syntax and will be treated as an error
by BIND 9.  The fix is to move the opening parenthesis to the first
line.

2.5. Unimplemented BIND 8 Extensions

$GENERATE: The "$$" construct for getting a literal $ into a domain
name is deprecated.  Use \$ instead.

2.6. TXT records are no longer automatically split.

Some versions of BIND accepted strings in TXT RDATA consisting of more
than 255 characters and silently split them to be able to encode the
strings in a protocol conformant way. You may now see errors like this
        dns_rdata_fromtext: local.db:119: ran out of space
if you have TXT RRs with too longs strings. Make sure to split the
string in the zone data file at or before a single one reaches 255
characters.

3. Interoperability Impact of New Protocol Features

3.1. EDNS0

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
also sets DO EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses.

Most older servers that do not support EDNS0, including prior versions
of BIND, will send a FORMERR or NOTIMP response to these queries.
When this happens, BIND 9 will automatically retry the query without
EDNS0.

Unfortunately, there exists at least one non-BIND name server
implementation that silently ignores these queries instead of sending
an error response.  Resolving names in zones where all or most
authoritative servers use this server will be very slow or fail
completely.  We have contacted the manufacturer of the name server in
case, and they are working on a solution.

When BIND 9 communicates with a server that does support EDNS0, such as
another BIND 9 server, responses of up to 4096 bytes may be
transmitted as a single UDP datagram which is subject to fragmentation
at the IP level.  If a firewall incorrectly drops IP fragments, it can
cause resolution to slow down dramatically or fail.

3.2. Zone Transfers

Outgoing zone transfers now use the "many-answers" format by default.
This format is not understood by certain old versions of BIND 4.  
You can work around this problem using the option "transfer-format
one-answer;", but since these old versions all have known security
problems, the correct fix is to upgrade the slave servers.

Zone transfers to Windows 2000 DNS servers sometimes fail due to a
bug in the Windows 2000 DNS server where DNS messages larger than
16K are not handled properly.  Obtain the latest service pack for
Windows 2000 from Microsoft to address this issue.  In the meantime,
the problem can be worked around by setting "transfer-format one-answer;".
http://support.microsoft.com/default.aspx?scid=kb;en-us;297936

4. Unrestricted Character Set

		BIND 9.2 only

BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.

It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9 will not enforce this restriction.

Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause a
breach of security when containing unexpected characters; see
<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
for details.  Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses, under
the control of the "check-names" option in named.conf and/or "options
no-check-names" in resolv.conf.  BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
be upgraded.

	BIND 9.3 onwards implements check-names.

5. Server Administration Tools

5.1 Ndc Replaced by Rndc

The "ndc" program has been replaced by "rndc", which is capable of
remote operation.  Unlike ndc, rndc requires a configuration file.
The easiest way to generate a configuration file is to run
"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
and rndc.conf(5) for details.

5.2. Nsupdate Differences

The BIND 8 implementation of nsupdate had an undocumented feature
where an update request would be broken down into multiple requests
based upon the discovered zones that contained the records.  This
behaviour has not been implemented in BIND 9.  Each update request
must pertain to a single zone, but it is still possible to do multiple
updates in a single invocation of nsupdate by terminating each update
with an empty line or a "send" command.


6. No Information Leakage between Zones

BIND 9 stores the authoritative data for each zone in a separate data
structure, as recommended in RFC1035 and as required by DNSSEC and
IXFR.  When a BIND 9 server is authoritative for both a child zone and
its parent, it will have two distinct sets of NS records at the
delegation point: the authoritative NS records at the child's apex,
and a set of glue NS records in the parent.

BIND 8 was unable to properly distinguish between these two sets of NS
records and would "leak" the child's NS records into the parent,
effectively causing the parent zone to be silently modified: responses
and zone transfers from the parent contained the child's NS records
rather than the glue configured into the parent (if any).  In the case
of children of type "stub", this behaviour was documented as a feature,
allowing the glue NS records to be omitted from the parent
configuration.

Sites that were relying on this BIND 8 behaviour need to add any
omitted glue NS records, and any necessary glue A records, to the
parent zone.

Although stub zones can no longer be used as a mechanism for injecting
NS records into their parent zones, they are still useful as a way of
directing queries for a given domain to a particular set of name
servers.


7. Umask not Modified

The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
not; the umask inherited from the parent process remains in effect.
This may cause files created by named, such as journal files, to be
created with different file permissions than they did in BIND 8.  If
necessary, the umask should be set explicitly in the script used to
start the named process.


$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
@


1.4
log
@SVN rev 222395 on 2011-05-28 00:21:28Z by dougb

Upgrade to 9.6-ESV-R4-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
@
text
@d267 1
a267 1
$Id: migration,v 1.49 2008-03-18 15:42:53 jreed Exp $
@


1.4.2.1
log
@SVN rev 234010 on 2012-04-08 01:43:41Z by dougb

MFC r233909:

Add Bv9ARM.pdf to the list of docs to install.

MFV/MFC r233914:

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
@
text
@d267 1
a267 1
$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
@


1.3
log
@SVN rev 193149 on 2009-05-31 05:42:58Z by dougb

Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

	Full NSEC3 support
	Automatic zone re-signing
	New update-policy methods tcp-self and 6to4-self
	DHCID support.
	More detailed statistics counters including those supported in BIND 8.
	Faster ACL processing.
	Efficient LRU cache-cleaning mechanism.
	NSID support.
@
text
@d267 1
a267 1
$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
@


1.3.2.1
log
@SVN rev 222396 on 2011-05-28 00:33:06Z by dougb

Upgrade to 9.6-ESV-R4-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
@
text
@d267 1
a267 1
$Id: migration,v 1.49 2008-03-18 15:42:53 jreed Exp $
@


1.3.2.2
log
@SVN rev 233915 on 2012-04-05 04:31:17Z by dougb

Update to version 9.6-ESV-R6, the latest from ISC, which contains numerous
bug fixes.
@
text
@d267 1
a267 1
$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
@


1.2
log
@SVN rev 186462 on 2008-12-23 22:47:56Z by dougb

Merge from vendor/bind9/dist as of the 9.4.3 import
@
text
@d267 1
a267 1
$Id: migration,v 1.45.18.3 2008/03/18 15:45:43 jreed Exp $
@


1.1
log
@Initial revision
@
text
@d1 1
a1 1
Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
d29 10
d132 9
d147 2
a148 3
also sets an EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses; this flag bit usage is not yet standardised,
but we hope it will be.
d185 2
d206 1
d267 1
a267 1
$Id: migration,v 1.37.2.3.2.2 2004/03/06 13:16:19 marka Exp $
@


1.1.1.1
log
@Vender import of BIND 9.3.0rc4.
@
text
@@


1.1.1.2
log
@Vendor import of BIND 9.3.1
@
text
@a121 9
2.6. TXT records are no longer automatically split.

Some versions of BIND accepted strings in TXT RDATA consisting of more
than 255 characters and silently split them to be able to encode the
strings in a protocol conformant way. You may now see errors like this
        dns_rdata_fromtext: local.db:119: ran out of space
if you have TXT RRs with too longs strings. Make sure to split the
string in the zone data file at or before a single one reaches 255
characters.
d246 1
a246 1
$Id: migration,v 1.37.2.3.2.3 2004/11/22 22:33:09 marka Exp $
@


1.1.1.2.2.1
log
@SVN rev 179502 on 2008-06-03 05:38:10Z by dougb

Update to version 9.3.5. It contains the latest bug fixes, updates
to root server addresses, and a fix for the vulnerability mentioned
here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122

Users of BIND 9.3.x are strongly encouraged to upgrade to this
version. Also, the 9.3.x branch is now in maintenance-only mode.
Users are encouraged to investigate BIND 9.4.x or perhaps 9.5.x.

http://www.isc.org/index.pl?/sw/bind/versions_and_support.php

This udpate is being done by updating the files directly in this
branch rather than an import + MFC because BIND in HEAD is 9.4.x.
@
text
@d1 1
a1 1
Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
d137 3
a139 2
also sets DO EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses.
a175 2
		BIND 9.2 only

a194 1
	BIND 9.3 onwards implements check-names.
d255 1
a255 1
$Id: migration,v 1.37.2.3.2.4 2007/09/07 06:35:24 marka Exp $
@


1.1.1.3
log
@Vendor import of BIND 9.4.1
@
text
@d255 1
a255 1
$Id: migration,v 1.45.18.1 2004/11/22 22:32:19 marka Exp $
@


1.1.1.3.2.1
log
@MFC contrib code and bmake changes for BIND version 9.4.2

Approved by:	re (kensmith)
@
text
@d1 1
a1 1
Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
d137 3
a139 2
also sets DO EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses.
a175 2
		BIND 9.2 only

a194 1
	BIND 9.3 onwards implements check-names.
d255 1
a255 1
$Id: migration,v 1.45.18.2 2007/09/07 06:34:21 marka Exp $
@


1.1.1.3.2.2
log
@SVN rev 186996 on 2009-01-10 03:00:21Z by dougb

MFC the BIND 9.4.3 and 9.4.3-P1 updates
@
text
@d1 1
a1 1
Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
a28 10
BIND 9.4 onwards implements "allow-query-cache".  The "allow-query"
option is no longer used to specify access to the cache.  The
"allow-query" option continues to specify which hosts are allowed
to ask ordinary DNS questions.  The new "allow-query-cache" option
is used to specify which hosts are allowed to get answers from the
cache. Since BIND 9.4.1, if "allow-query-cache" is not set then
"allow-recursion" is used if it is set, otherwise "allow-query" is
used if it is set, otherwise the default localnets and localhost
is used.

d257 1
a257 1
$Id: migration,v 1.45.18.3 2008/03/18 15:45:43 jreed Exp $
@


1.1.1.3.2.3
log
@SVN rev 222399 on 2011-05-28 00:58:19Z by dougb

Upgrade to 9.4-ESV-R4-P1, which addresses the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
@
text
@d267 1
a267 1
$Id: migration,v 1.45.18.3 2008-03-18 15:45:43 jreed Exp $
@


1.1.1.4
log
@Vendor import of BIND 9.4.2
@
text
@d1 1
a1 1
Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
d137 3
a139 2
also sets DO EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses.
a175 2
		BIND 9.2 only

a194 1
	BIND 9.3 onwards implements check-names.
d255 1
a255 1
$Id: migration,v 1.45.18.2 2007/09/07 06:34:21 marka Exp $
@


1.1.1.1.2.1
log
@MFC: BIND 9 and related bits.

Approved by:	re
@
text
@@


1.1.1.1.2.2
log
@MFC BIND 9.3.1 and related bmake updates

Approved by:	re (kensmith)
@
text
@a121 9
2.6. TXT records are no longer automatically split.

Some versions of BIND accepted strings in TXT RDATA consisting of more
than 255 characters and silently split them to be able to encode the
strings in a protocol conformant way. You may now see errors like this
        dns_rdata_fromtext: local.db:119: ran out of space
if you have TXT RRs with too longs strings. Make sure to split the
string in the zone data file at or before a single one reaches 255
characters.
d246 1
a246 1
$Id: migration,v 1.37.2.3.2.3 2004/11/22 22:33:09 marka Exp $
@


