sorry to ruin several of your evenings...
...but this one's important. contact me at home (paul@vix.com) if nec'y. To: bind-announce@isc.org Subject: BIND 8.2.3 release announcement Date: Fri, 26 Jan 2001 21:11:49 -0800 From: Paul A Vixie <vixie@isc.org> -----BEGIN PGP SIGNED MESSAGE----- Highlights vs. BIND 8.2.2: Several serious security holes plugged. Many bug fixes, especially to IXFR and TSIG. New "ndc reload -noexpired" feature. "ndc status" now shows config file name and age. Ignore stuck stale queries after long zone load delay. TTL 0 is now allowed in zone files. Several updated contrib/ packages. Better portability to Win/NT. Ported to Darwin (Mac OS X). Forwarders are now used in order by measured RTT. Distribution files are: ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-src.tar.gz ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-doc.tar.gz ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-contrib.tar.gz PGP signature files are: ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-src.tar.gz.asc ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-doc.tar.gz.asc ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-contrib.tar.gz.asc MD5 checksums are: MD5 (bind-contrib.tar.gz) = d9cf8e675911fc98b1b5a540bfbc72a3 MD5 (bind-contrib.tar.gz.asc) = 2d284eabe3cda486ab969a18311aa7f7 MD5 (bind-doc.tar.gz) = c26474bb791552cc0cbc5af72190a772 MD5 (bind-doc.tar.gz.asc) = 3d62e725e05bb2caed099616b5fd8e8a MD5 (bind-src.tar.gz) = e21e2854d72afd2ffbee17cfe8caa581 MD5 (bind-src.tar.gz.asc) = a481d492266e3c7809b6f792fd4fb85b top of CHANGES says: --- 8.2.3-REL released --- 1139. [bug] inet_{net_,}ntop() had an off-by-one error. 1138. [bug] purge_nonglue() should only be fatal on master servers. 1138. [port] add include/errs.h to various ports. winnt: #1130 caused linkage failures. --- 8.2.3-RC5 released --- 1137. [bug] rfc1034 escape sequences not processed when replaying updates. 1136. [port] winnt: named nolonger creates resolv.conf. 1135. [bug] fixup from #1130/1132. 1134. [port] winnt: SIOCGIFADDR, SIOCGIFFLAGS, SIOCGIFDSTADDR and mkstemp() fixes. 1133. [bug] sorting of SIG/non-SIG records prior to rrset ordering of was broken. --- 8.2.3-RC4 released --- 1132. [lint] more #1130. 1131. [support] TTL 0 is now allowed in zone files. 1130. [lint] massive, massive delinting from "gcc -Wall". 1129. [support] "max_log_size_ixfr" is now a scaled number (4m, etc). 1128. [contrib] updated mdnkit. 1127. [port] winnt: support for more interfaces, dnskeygen. 1126. [bug] resolver: close cached file descriptors when socket() fails. 1125. [bug] when ns_addr_list is rotated, rotate cached file descriptors. 1124. [bug] the select() timeout was not always being correctly computed. 1123. [bug] changes to ns_addr_list were not being reflected into our private copy. 1122. [port] sco: DESTRUN and DESTSBIN can't be the same. 1121. [cleanup] re-word "server is ??? priming" status message. 1120. [bug] more #1108 fine tuning. 1119. [bug] "delete all" RRs were not being printed correctly. 1118. [port] winnt: always install the named executable 1117. [port] linux: turn off returning ICMP port unreachables. 1116. [bug] minor tweak to #1108 1115. [bug] fail if tsig transfers are requested but we can't communicate the keys to named-xfer. 1114. [bug] remove extraneous semi-colon from ns_parser.y --- 8.2.3-T9B released --- 1113. [support] show config file name and age in "ndc status" 1112. [support] "ndc status" no longer mentions loading of config. 1111. [port] some versions of sunos don't have _POSIX_PATH_MAX 1110. [bug] zones with Null keys at delegation incorreclty rejected. 1109. [support] named-xfer was bombing on non-TSIG'd zones 1108. [support] ignore queries that come in during long synch ops 1107. [func] allow the default syslog facility to be set by adding -DISC_FACILITY=<value> to CDEBUG in Makefile.set. 1106. [func] host statistics can now be cleared after they are dumped. Use "ndc stats clear". 1105. [func] host-statistics-max can be used to set a upper bound on the number hosts we collect statistics against. 1104. [func] the source of a record is no longer dependent on setting "host-statistics yes;" 1103. [doc] winnt: updated port specific notes. 1102. [port] winnt: BINDctrl fixes 1101. [port] winnt: install fixes 1100. [bug] named-xfer some memory allocations were not checked. 1099. [bug] more missing INIT_LINK's. 1098. [support] force gmake to fail if the sub-shell fails. 1097. [port] winnt: lower the logging level so that BINDCtrl status checks do not cause the eventlog to fillup. 1096. [bug] don't pass '-i' to named-xfer unless we are going to attempt a IXFR. 1095. [bug] dig: report missing arguements. 1094. [port] winnt: more cylink fixes, updated install. 1093. [bug] winnt: build lib cylink correctly 1092. [cleanup] winnt: snmpmib.c is nolonger required 1091. [support] winnt: workout the install directory. 1090. [bug] winnt: install was copying old over new. 1089. [bug] winnt: fix copyright for nameserver.c winnt: snmpmib.c not needed in libbind.dsp 1088. [bug] #1053 still contained NAPTR problems. --- 8.2.3-T8B released --- 1087. [port] sunos/gcc _POSIX_PATH_MAX isn't defined when it should be. 1086. [doc] malformed man page for heap. 1085. [bug] ixfr responses to zones we don't server were malformed. 1084. [bug] INIT_LINK before APPEND in four more places. 1083. [support] only log "no options before zone" config error before FIRST zone [kjd]. 1082. [bug] have client-side IXFR work in single answer mode [kjd]. 1081. [bug] have server-side IXFR work in single answer mode [kjd]. 1080. [support] still do IXFR's even when a file name is not specified for zone [kjd]. 1079. [support] need to have a file name for a hints zone [kjd]. 1078. [port] WinNT interface enumeration fixes from Danny Mayer. 1077. [support] format string audit. 1076. [port] now recognize RH7.0's "strndup()" 1075. [contrib] add contrib/resparse-1.3 [Henning Schulzrinne @CU] 1074. [support] INSIST that lists are correctly managed. 1073. [port] Win/NT port work from Danny Mayer. Dig, host and nslookup have been added. 1072. [port] work around a gcc bug on solaris. 1071. [bug] memory leak in res_nsendsigned(). 1070. [bug] We were accepting non syntactically valis SOA records. 1069. [port] movefile() is now part of libbind as isc_movefile(), remaining rename() calls converted to isc_movefile(). 1068. [bug] purge the zone from memory if an error is detected on loading. 1067. [bug] reload the parent zone if loading the child zone fails, the parent zone may otherwise be corrupted. 1066. [bug] refresh/retry timer need to be reset after IXFR 1065. [bug] IXFR change list could be freed to early. 1064. [bug] unchecked memget in sx_send_ixfr(). 1063. [bug] fix #1041 was incomplete. 1062. [bug] host printed out address records multiple times if they were at the end of a CNAME chain. 1061. [bug] host failed to look for A records for the second an subsequent entries in the search list when using the default lookup. 1060. [bug] $GENERATE did not reject a out of zone LHS. 1059. [bug] res_findzonecut() contained a bad debugging printf. 1058. [bug] possible NULL pointer de-reference in dst_key_to_buffer(). 1057. [doc] document that bogus causes anti-alias processing. 1056. [bug] ns_sprintrrf() could incorrectly print "." as "@". 1055. [bug] aa was being cleared on notify "queries" prior to testing. 1054. [bug] NAPTR records were using name compression. 1053. [bug] NAPTR records were not being printed correctly. 1052. [bug] UPDATES w/ NAPTR records were failing. 1051. [contrib] YADDAS: Yet another DNS database awk script. 1050. [bug] named-bootconf did not handle cacheless secondary/stub zones. NOTE cacheless secondary/stub zones are not recommended. 1049. [bug] buffer overruns by 1 in getnameinfo(). 1048. [bug] ns_ctl_install() was corrupting the server_controls list. 1047. [bug] req_iquery() wasn't doing a final update on buflenp. 1046. [port] Win/NT port improved by its author. --- 8.2.3-T7B released --- 1045. [bug] forwarded and initiated TCP queries weren't affected by the "query-source" config option, and weren't being set nonblocking. 1044. [support] add HITCOUNTS compile-time option (from lamont@hp.com). 1043. [bug] dnsquery's command line args could overflow buffers. 1042. [doc] maintain-ixfr-base had wrong description in named.conf(5). 1041. [bug] host assumed axfr returned "one-answer" responses. 1040. [bug] add d_rcnt processing to update processing. 1039. [bug] qcomp wasn't stable. 1038. [port] solaris needs a strerror that does not return NULL, call isc_strerror instead. 1037. [support] soften #1025 -- continue to accept !AA notify req's. 1036. [debug] add TKEY debugging support. 1035. [bug] ndc's "help" command worked in signal but not channel mode. 1034. [bug] loc_ntoa() failed to correctly print altitudes in the range [-0.99 .. -0.01]. 1033. [port] Win/NT portability infusion from Larry @NortelNetworks. 1032. [bug] fix minor signal buglet introduced in #1029. 1031. [bug] nslookup now correctly refuses to accept qtypes AXFR or IXFR. (use nslookup "ls", not queries, for this.) 1030. [protocol] nslookup "ls" command now uses writev() rather than two write()'s, to get msglen and query into same tcp seg. --- 8.2.3-T6B released --- 1029. [bug] incredibly busy systems could starve handle_needs(). 1028. [protocol] unrecognized TSIG was returning NOERROR (now NOTAUTH). 1027. [support] INSIST(), ENSURE(), et al, now always have sideeffects. 1026. [port] some kernels bogusly return tv_usec>1000000 from gettimeofday(). panic and dump core when this happens. 1025. [proto] NOTIFY messages should have AA. 1024. [bug] we were unwilling to use the last 10 octets of a response buffer in certain transaction types. 1023. [port] HP-UX 10.20 was looping inside contrib/dnssigner. 1022. [port] ensure that all handled signals are unblocked. 1021. [bug] the "host" command wasn't properly printing SRV RR's. 1020. [contrib] new "updatehosts" (V1.1.0) contributed by author. 1019. [port] separate CFLAGS and CPPFLAGS for unusual builds. 1018. [bug] When maintain_ixfr_base is set to "no" a zones IXFR file was still being written too. 1017. [doc] resolver(3) was out of date with respect to recent API changes. 1016. [bug] nslookup wasn't properly printing SIG RR's. 1015. [bug] when merging group information gr_name and gr_passwd could be left pointing at freed memory. 1014. [bug] iquery: DoS (potential), information leak. 1013. [bug] mangled hostent structures returned by gethostbyname_r() and friends. 1012. [doc] add named-bootconf example to INSTALL. 1011. [bug] if spawnxfer() fails we should return immediately. 1010. [bug] bad responses to the initial IXFR/SOA query could result in using an uninitalised variable. 1009. [port] Add support for darwin / Mac OS X 1008. [doc] specify allow-query default in named.conf. 1007. [bug] only set STREAM_AXFRIXFR if the original query is an IXFR. --- 8.2.3-T5B (RC3) released --- 1006. [port] Windows/NT does not have fchown(). 1005. [bug] RD was sometimes left set, inappropriately. 1004. [bug] cached NXT's were corrupted. 1003. [bug] correction to #997. 1002. [bug] file descriptor leak in res_nclose(). 1001. [port] some builds were too fast. --- 8.2.3-T4B (RC2) released --- 1000. [bug] #996 was wrongly implemented; replacement fix. --- 8.2.3-T3B released --- 999. [support] named now makes an effort to create its files with ownership as specified by -u and -g command options. 998. [support] show version number in NOTIFY log messages. 997. [support] forwarders are now used in order by measured RTT. 996. [protocol] if answering ixfr with full zone, used qtype axfr. 995. [bug] "dig -b" was broken due to missing switch "break;" 994. [bug] named-xfer did not handle empty question sections. 993. [bug] TSIG AXFR was completely broken in DiG. 992. [bug] OPTION_USE_IXFR and OPTION_MAINTAIN_IXFR_BASE had non-single-bit flag values in src/bin/named/ns_defs.h. 991. [protocol] send A6 glue records in xfr. 990. [bug] we could loose track of a bottom of zone cut if the write buffer filled up at just the correct moment. 989. [bug] apply to "fetch-glue no;" to notify processing. need to add A records that would be found this way w/ also-notify. 988. [support] report expired zones when detected in maintainence pass. 987. [feature] "ndc reconfig -noexpired" skip attempts to load expired zoned when reconfiguring. 986. [bug] pushlev only needs to be called for axfr/zxfr not ixfr. --- 8.2.3-T2B released --- 985. [support] remove "view" command from nslookup (it used mktemp()). 984. [bug] always restart processing query from scratch if we have chased a CNAME as we might still have the answer in the cache once the CNAME has been resolved. 983. [support] "notify from non-master server" is now debug, not info. 982. [bug] rollback the compression pointers array when a RRset/RR does not fit. 981. [port] decunix: typedef (u_)int#m_t 980. [bug] mishandled memget failure w/ TCP connections. 979. [bug] we were failing to call ns_stopxfrs() before calling purge_zone() in some cases. 978. [port] sco50: setsockopt(SO_REUSEADDR) fails on unix domain sockets 977. [bug] we should be returning notimpl for update forwarding rather than refused. a client receiving refused should terminate the update attempt. notimpl should just cause the client to skip to the next server. 976. [bug] some stats weren't getting incremented, & added a few. 975. [support] SLAVE_FORWARD is now redundant and has been removed. 974. [port] ultrix with vendor's y2k patch explicitly desupported. 973. [bug] some field names added in #935 conflicted with macros. 972. [support] restore heartbeat notifies. 971. [bug] out of order updates in log. 970. [port] solaris: add ipv6 interface scanning support. 969. [bug] post process a zone load to remove any non-glue at or below bottom of zone. 968. [bug] TSIGs failed to verify if the key name was compressed. 967. [bug] zones signed by the BIND 9 signer failed to load. --- 8.2.3-T1A released --- 966. [bug] nslookup and dig misprinted root zone in $ORIGIN. 965. [feature] dig's command line input buffer was rather small. 964. [bug] make res_nsearch() behave like res_search() of olde. 963. [bug] res_debug::do_section() can no longer spin all VM. 962. [bug] another almost-complete rewrite of IXFR from kjd (462) 961. [bug] acl "none" now fails to match but doesn't end search. 960. [bug] more hesiod library fixes from danny. 959. [doc] christos fixed several man page typos and brainos. 958. [bug] getnameinfo() should accept experimental/multicast. 957. [port] ultrix again. "cd" now presumed to be silent again. 956. [bug] multiline was not being cleared correctly. 955. [bug] explicit TTL on SOA records were being replaced with soa minimum. 954. [bug] cannot load a signed root zone. 953. [bug] memory overrun in set_zone_ixfr_file(). 952. [bug] errs was not being correctly adjusted if the included master file did not exist in db_load(). 951. [bug] contrib/dns_signer/signer: write_trim_name array bounds write error. 950. [bug] hesiod: ctx->res was not being initalised. 949. [port] aix32: add prand_conf.h and define WCOREDUMP 948. [bug] fixed logic error in a number of expressions causing res_ninit() not to be called when it should be. 947. [bug] sanity check in dst_read_key() wasn't. 946. [port] freebsd: threaded library support. 945. [bug] wrong file name logged in ixfr_have_log(). 944. [doc] add forwarders to zone types master/slave/stub in named.conf man page. 943. [bug] raise CNAME and OTHER / multiple CNAME logging to warning. 942. [bug] bad referrals logged for forwarders. 941. [bug] lame server detection wasn't checking for SOA record. 940. [clarity] unapproved -> denied in log messages. 939. [bug] reload_master and purgeandload should write the zone if it has been updated. 938. [bug] update and ixfr logs could get corrupted. fseek() before ftell() on fopen(, "a+") file. 937. [support] allow parallel makes to work. 936. [protocol] add preliminary A6 glue recognition in ns_req. 935. [cleanup] res_nsend() segmented into multiple functions for readability. also fixed two file descriptor leaks. CAN_RECONNECT is gone, keep one socket per nameserver. 934. [bug] Perror and Aerror where incorrect if DEBUG is not defined. 933. [port] cygwin port added 932. [port] sco42 does not have unix domain sockets or gethostid. 931. [bug] eventlib was not handling unix domain sockets correctly. 930. [bug] we wern't using all the potential compression pointers in the question section. 929. [bug] we were accepting updates (adds) with illegal ttls. 928. [bug] if we manage to get a illegal ttl stored, print it unsigened. 927. [port] hpux: (11.* 10.30) Makefile.set.gcc 926. [port] hpux10: gcc needs -D_HPUX_SOURCE and -fPIC 925. [protocol] when a slave loads it should notify others (RFC 1996). 924. [port] sunos solaris: #define NEED_SECURE_DIRECTORY to secure the directory containing unix domain socket rather than the socket itself. 923. [support] shutup "make clean" about missing threaded directories. 922. [bug] removing an cached zone file then performing a "ndc reload zone" should force a zone transfer. 921. [bug] nsupdate: listuprec was not being initalised. 920. [port] aix4: Makefile.set.gcc aix4: __P was being defined by <net/radix.h> 919 [port] linux: remove one level of symbolic linkage when performing make links on port/linux/include 918. [bug] update prerequisite could match w/ wildcard. 917. [port] irix: make the current IRIX release (6.5) work by not patching res_debug.c. see INSTALL if you have problems with 6.3. 916. [bug] removing / changing a zone type could result in Z_NOTIFY being cleared / tested against the wrong zone. 915. [bug] evNewWaitList() was not maintaining the prev chain. 914. [bug] signal EWOULDBLOCK if EV_POLL'ing with no timers. 913. [bug] input could get lost on the server side of a ctl sock. 912. [bug] nsupdate now allows explicit 0 TTL's on added RR's. 911. [bug] gethostbyname() should not return duplicate addresses. 910. [bug] address-sorting logic was exiting early. 909. [bug] dig wasn't respecting the +ti and +ret arguments. 908. [contrib] Tony Stoneley sent us an updated misc/makezones. 907. [port] winnt fixes from Larry at Nortel. 906. [bug] res_findzonecut() failed if the NS referred to a CNAME. 905. [doc] Minor fix to doc/man/Makefile for getnameinfo 904. [bug] bin/host wasn't looking up MX records if no -t flags were passed to it. --- 8.2.2-P6 released --- ... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface iQCVAwUBOnJYd3cdkq6JcsfBAQHP5wP9GRoMwBoPOQxARQCupUFPZFMWKR80yxYg R7N6oW3g6zNPSf7TN8oiijQB+aMOslYAEB3XIDfHc3vNctIh11C/Ni/2/mVPUedR xEWMrDYFP81HGx04VJBdmqjHhqLT3FzGf1DHrJ6W/ssIpVsP0ehAlTSDE2EWEset sB+pPnzC/Kk= =92D2 -----END PGP SIGNATURE-----
On Fri, Jan 26, 2001 at 09:47:08PM -0800, Paul A Vixie wrote:
...but this one's important. [...] Several serious security holes plugged.
Not to disrespect Mr. Vixie, or detract from the operational content of the original post, but I'd like to recommend another solution to these recently reported security holes in BIND: install djbdns <http://www.djbdns.org/>. -adam
On Sat, Jan 27, 2001 at 07:46:23PM -0500, Adam Rothschild wrote:
On Fri, Jan 26, 2001 at 09:47:08PM -0800, Paul A Vixie wrote:
...but this one's important. Several serious security holes plugged.
Not to disrespect Mr. Vixie, or detract from the operational content of the original post, but I'd like to recommend another solution to these recently reported security holes in BIND: install djbdns <http://www.djbdns.org/>.
Or DENTS <http://sourceforge.net/projects/dents/>, created by the Mindspring technical team, spearheaded by Todd Lewis, whom I think is hearabouts. Certainly there are many approaches to DNS, and as several people have mentioned this month, genetic diversity in service provision, especially DNS, and most especially Root DNS, is A Good Thing. Thanks, though, to Paul for the heads up; I'd missed the announcement through other channels, and I'm pretty sure at least one breakin in my last 6 months came through a BIND hole. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015
On Sat, Jan 27, 2001 at 07:46:23PM -0500, Adam Rothschild wrote:
On Fri, Jan 26, 2001 at 09:47:08PM -0800, Paul A Vixie wrote:
...but this one's important. [...] Several serious security holes plugged.
Not to disrespect Mr. Vixie, or detract from the operational content of the original post, but I'd like to recommend another solution to these recently reported security holes in BIND: install djbdns <http://www.djbdns.org/>.
It's not open source though... http://www.linuxmafia.com/~rick/faq/#djb Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key
Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 (sorry I purged some mails before their time). Just for the sake of readiness, be aware that there are some 8.x options which are unsupported in 9.x. I did an in-place upgrade and had to make a few (mostly insignificant) changes which may be problematic for larger sites. http://www.isc.org/products/BIND/docs/config/options.html is the online reference for the 8.x server The global config entries I had to remove were: fake-iquery yes returns the original query as the answer when Inverse Query is issued (rare). it was mostly useful for ancient versions of nslookup, and probably is not used by anybody now. I used it for testing purposes. I don't know if 9.x supports inverse queries or not. No loss either way. multiple-cnames yes allows a domain name entry to have multiple CNAME references, this is often used by sites to fake load distribution algorithms. should not be used by anybody, but is anyway. I used it for testing purposes. I would guess that 9.x finally gave up on this legacy ghost. No loss for me, will be problematic for some, despite all of the well-intentioned warnings. rfc2308-type1 yes from the online docs: If yes, the server will send NS records along with the SOA record for negative answers. You need to set this to no if you have an old BIND server using you as a forwarder that does not understand negative answers which contain both SOA and NS records or you have an old version of sendmail. The correct fix is to upgrade the broken server or sendmail. The default is no. I had this enabled for testing purposes, but I can't remember exactly why now. It may have been for compatibility testing with some older servers but I can't remember. According to the options document it should be allowed but 9.1.0 bitched about it. No problems yet so no loss yet. check-names slave ignore lets you load a zone that contains A records with "illegal" hostnames. the "slave ignore" paramater is needed with 8.x in order to secondary for Active Directory (AD breaks the law on allowable characters in hostnames by assinging an A record with the AD domain name, especially annoying since a lot of people want to use that A record for web activities). 8.x was overly conservative in this regard (sometimes an A is not a hostname), 9.x doesn't seem to stop you from defining A records with illegal hostnames so no loss. maintain-ixfr-base true used to keep a transaction journal for incremental transfer operations (IXFR). I haven't gotten IXFR tested out yet with 9.1.0 but apparently this is automagic now. the option is listed as obsolete and is not recognized so I am probably doing something wrong (or nsupdate is still broken). There are lots of obsolete entries so an in-place upgrade for complex configs really needs to be tested first. Also note that named.conf man pages are not in the 9.1.0 build, so "man named.conf" will most likely reuse your 8.x docs, which won't jive with the 9.1.0 options. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
[ On Monday, January 29, 2001 at 01:36:42 (-0800), Eric A. Hall wrote: ]
Subject: Re: sorry to ruin several of your evenings...
Somebody asked about an in-place upgrade from BIND 8.x to BIND 9.1.0 (sorry I purged some mails before their time). Just for the sake of readiness, be aware that there are some 8.x options which are unsupported in 9.x. I did an in-place upgrade and had to make a few (mostly insignificant) changes which may be problematic for larger sites.
The global config entries I had to remove were:
fake-iquery yes multiple-cnames yes rfc2308-type1 yes check-names slave ignore maintain-ixfr-base true
That's just the beginning! :-) Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'memstatistics-file' is not yet implemented Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the 'auth-nxdomain' option is now 'no' Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'host-statistics' is not yet implemented Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is obsolete Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is not implemented Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'os' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'parser' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'load' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'panic' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'packet' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'eventlib' ignored I don't yet know if "host-statistics" is still necessary to be able to see the source of an RR in a dump file, or not, but if so then that'll be a road-block in keeping me from using 9.1.0 in production. I'm also very partial to 'check-names'. I've been happy using the following in many locations: check-names master fail; check-names slave fail; check-names response fail; Even more critically the old 'ndc' program has been replaced by 'rndc', which won't work until you've configured it (/etc/rndc.conf) *and* you add "controls" statements to your /etc/named.conf to allow it to connect, authenticate, and send commands. There doesn't seem to be a default way of setting it up for local-only control. I haven't done this yet Even worse than that the new BIND-9 'named' not only doesn't handle signals in the same way as previous versions, but it shuts down instead of ignoring SIGINT (which used to generate a dump file, which is why I've not yet successfully generated and viewed a dump file to see if the source of the RR is recorded in there!). So: WARNING: Anyone with scripts or other programs that use signals (i.e. kill(1), or kill(2)) to control their named process will almost certainly have to re-code to work with BIND-9 (and use 'rndc' and/or its mechanisms)! You'll also find that the new named-checkconf fails if you use: options { directory "/etc/namedb"; }; and then try to do something like: include "named-rfc1918.conf"; include "named-slave.conf"; include "named-master.conf"; However the named process itself does seem to do the chdir("/etc/namedb") before trying to do the "include"s, and if you start named-checkconf from within the right directory it'll work.... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
I recommend reading bind-9.1.0/doc/misc/options from the bind9 distribution, it explains what is implemented, isnt implemented, or is obsolete. Matthew S. Hallacy XtraTyme Technologies
That's just the beginning! :-)
Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'memstatistics-file' is not yet implemented Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: the default for the 'auth-nxdomain' option is now 'no' Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'host-statistics' is not yet implemented Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'use-id-pool' is obsolete Jan 29 13:37:46 proven /usr/pkg/sbin/named[22298]: option 'check-names' is not implemented Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'os' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'parser' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'load' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'panic' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'packet' ignored Jan 29 13:37:47 proven /usr/pkg/sbin/named[22298]: unknown logging category 'eventlib' ignored
I don't yet know if "host-statistics" is still necessary to be able to see the source of an RR in a dump file, or not, but if so then that'll be a road-block in keeping me from using 9.1.0 in production.
I'm also very partial to 'check-names'. I've been happy using the following in many locations:
check-names master fail; check-names slave fail; check-names response fail;
participants (7)
-
Adam Rothschild
-
Eric A. Hall
-
Jay R. Ashworth
-
Marc MERLIN
-
Paul A Vixie
-
poptix@sleepybox.poptix.net
-
woods@weird.com