Release 9.10 improves DNS performance and manageability for both authoritative services and recursive (caching) resolver applications.
BIND users now have even more choices.
The new 9.10 branch will be the fourth simultaneous release train ISC is supporting, alongside 9.8, 9.9 and 9.9-subscriber. (In January 2014 ISC ended support for the 9.6 branch, launched in 2008, as previously announced.) We recommend that administrators run one of our older, stable branches, such as a 9.8 or 9.9-based release on their critical production systems, while testing the new 9.10 branch until the second or third maintenance release. The release notes are now posted alongside the software download, and we have created a folder in the knowledge base for articles on the new 9.10 features. Below are the highlights of major enhancements in BIND and BIND tools.
Response Rate Limiting. One of the major features in 9.10 was actually first introduced in the 9.9 train in the 9.9.4 maintenance release. We violated our usual policy of limiting maintenance releases to bug fixes because this feature (Response Rate Limiting) was so important. If you are not using it yet on your authoritative servers, you should consider it now. RRL has proven to be so valuable and effective that it is now included in the default software-build configuration, which means that you can use RRL without having to configure and create a custom version of BIND. Instructions for using RRL are in KB article AA-0994 and (in somewhat more detail) in the BIND 9.10 ARM. We held a webinar “RRL — Strategies for a Successful Deployment” in November, 2013, in which Eddy Winstead interviewed Peter Losher, our Senior Systems Engineer who deployed RRL for F-Root. Also note our earlier webinar on RRL.
One of the major themes for BIND 9.10 is performance improvement. There are significant enhancements for both authoritative and recursive operations in many of the areas where we have heard requirements for better performance.
New format option for zone files stored on disk allows substantially faster zone loading. Most of the time required for reloading BIND is consumed by parsing the zone files. With this new feature, zone files can be saved in a ‘pre-compiled’ format. This feature applies to authoritative services, and specifically to slaves. Consult the BIND 9.10 Administrator’s Reference Manual (ARM) to learn when using map format would be a good idea, when it would be a bad idea, and the details of how to set up and use map-format zone files. See KB article AA-01120 for a summary of appropriate and inappropriate usage of map-format zone files.
DNS Pre-fetch can improve recursive resolver performance. DNS resource records that are received by a resolver are kept in its cache until they expire. BIND 9.10 now offers a “prefetch” option. When someone requests a record in the cache, BIND will serve that record, but also fetch a new copy, so it is fresh in the cache for the next requestor. This will improve the performance delivered to end users for resolving names that have short expiration times. See KB article AA-01122 for more information about this new “prefetch” option.
BIND “views” can now share zones, eliminating duplication of zone data for multiple views and saving memory.
We made substantial improvements in Response Policy Zone (RPZ) performance. See KB article AA-01121 for more information about this update and for a refresher on the RPZ mechanism and the impact of its use.
EDNS processing better tracks remote server capabilities when handling recursive queries. Instead of sending larger packets and gradually decreasing packet size when we receive errors, now we take a more pessimistic approach and start with small packets, graduating to larger sizes until we encounter errors. This should improve recursive performance when handling multiple authoritative servers and will also help in situations where connectivity is intermittent or limited by older or misconfigured in-path equipment.
A new ‘large server tuning‘ option sets constants and default settings to values suited to large servers with abundant memory. This can improve performance on such servers, but will consume more memory and may degrade performance on smaller systems. In addition, adaptive mutex locks are now supported. This has been found to improve performance under load on systems that support them.
BIND 9.10 brings updates to statistics, troubleshooting tools and some helpful utilities for zone configuration.
XML statistics reported from BIND refocused on “new” format. BIND can provide statistics in either XML or JSON formats. JSON is significantly faster than XML, but is not supported yet on Windows. Previous versions of BIND had offered the option of XML statistics in regular (v2) or new (v3) format. In response to user feedback, BIND 9.10 offers only v3 format but offers it in the default version (without needing to custom-build a BIND with statistics enabled).
The statistics channel now also includes many new statistics, including statistics for the resolver, cache, address database, dispatch manager and task manager, which can be used to monitor server health. New URLs have been added to the statistics channel to provide broken-out subgroups of statistics so as to reduce parsing complexity. The XSL stylesheet that enables interpretation of XML statistics can now be cached by the browser. New counters track TCP and UDP queries on a per-zone basis. This satisfies the new ICANN reporting requirement for new Generic Top Level Domains (GTLDs). See KB article AA-01123 for more information about the XML statistics channel and its usage.
Here are two examples of the stylesheets, showing subsets of the statistics with tables and bar graphs.
Release 9.10 previews the Domain Entity Lookup and Validation engine (DELV), a new DNSSEC troubleshooting tool intended to eventually obsolete dig+sigchase. See KB article AA-01152 for more information.
The dig tool now has EDNS client-subnet support and EDNS Expire support. “dig +subnet” sends an EDNS CLIENT-SUBNET option when querying. “dig +expire” sends an EDNS EXPIRE option when querying. When this option is sent with an SOA query to a server that supports it, it will report the expiry time of a slave zone.
A new command makes it easier for others to help you troubleshoot your configuration.
- The new “named-checkconf -px” option will print the contents of configuration files with shared secrets obscured. This makes it easier to share your server configuration — for example, when reporting a bug — without revealing private information.
Several more utilities help with troubleshooting zone configuration.
- The “named-checkzone” and “named-compilezone” commands can now read journal files, allowing them to read the current state of a dynamic zone without freezing it and syncing its journal file first.
- The new “named-rrchecker” tool can be used to verify the syntactic correctness of individual resource records, or to convert them into a canonical format so that a newly defined record type can be loaded into an older name server that doesn’t recognize it.
- The new “rndc zonestatus” command reports information about a specified zone, including configuration details, last load time, serial number, and when the next automatic zone maintenance events are scheduled.
PKCS#11 API for direct control of HSM.
A new compile-time option (“configure –enable-native-pkcs11”) allows the BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module directly instead of using a modified OpenSSL as an intermediary. This has been tested with the Thales nShield HSM, and with SoftHSMv2 from the Open DNSSEC project. See the ‘Thales ISC Solution Brief‘ from Thales. Information about this option and how to use it is in the BIND 9.10 ARM.
Three new options facilitate key management:
- The new “dnssec-signzone -Q” option causes dnssec-signzone, when re-signing a zone, to drop signatures from keys that are still published but are no longer active. This makes it easier to roll DNSSEC keys according to the “pre-publish key rollover” method described in RFC 4641, section 18.104.22.168.
- The new “dnssec-importkey” command allows the use of offline DNSSEC keys with automatic DNSKEY management. This allows an inline signing zone to publish or unpublish DNSKEY records on schedule even if it doesn’t have access to the corresponding private key data. (arguably a bug fix)
- Max-zone-ttl. The new “max-zone-ttl” option enforces maximum TTLs for zones. This can simplify the process of rolling DNSSEC keys by guaranteeing that cached signatures will have expired within the specified amount of time. Loading a zone with a higher TTL will fail. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.)
Multiple DLZ databases can now be configured in the same server. Individual zones, of type “master” or “redirect”, can be configured to be served from a specific DLZ database. Details of how to configure and use this expanded capability as part of an expansion of NXDOMAIN redirection can be found in KB article AA-01150.
RPZ now allows response policies to be triggered based on the IP address of the client. See KB article AA-01121 for more information about this update and for a refresher on the RPZ mechanism and the impact of its use.
The Windows installer now places files in the Program Files area rather than system services. Several features previously unavailable on Windows are now available, including “delve” and the “export library” APIs including libirs. The Python tools “dnssec-coverage” and “dnssec-checds” can now be enabled on Windows via “Configure”, but are not included in the installation zip files. All versions of Visual Studio up to 2013 are now supported, and support has been added for 64-bit builds.
Source Identity Token (SIT)
Similar to DNS Cookies, (invented by Donald Eastlake and described in draft-eastlake-dnsext-cookies-04), these are designed to enable clients to detect off-path spoofed responses, and to enable servers to detect spoofed-source queries. Servers can be configured to send smaller responses to clients that have not identified themselves using a SIT option, reducing the effectiveness of amplification attacks. RRL processing has also been updated: clients proven to be legitimate via SIT are not subject to rate limiting. This feature is experimental in BIND 9.10 as the draft is updated and as client support is developed.
GeoIP support was first introduced in 9.9, through the subscription branch. With release 9.10 this feature is available to everyone. BIND 9 access control lists are used to give access to various server functions according to the IP address from which it was requested. BIND 9.10 is able to use data from MaxMind GeoIP databases to achieve restrictions based on the (presumed) geographic location of that address. The ACL itself is still address-based, but the GeoIP-based specification mechanisms can easily populate an ACL with addresses in a certain geographic location. This capability was derived from code contributed by Ken Brownfield. An interesting use of geographic ACLs is to offer different BIND Views to clients in different geographic locations. See KB article AA-01149 for more information about GeoIP features in BIND 9.10.
- The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified, so that when BIND 9 is built with shared libraries, other applications (e.g., ISC DHCP) can use those same libraries. Previously it was necessary to build two versions of the libraries, one for BIND 9 and another for external applications, but this is no longer the case.
- BIND 9.10 listens on IPv6 as well as IPv4 interfaces by default; it is no longer necessary to specify a “listen-on-v6” option.
- On operating systems that support routing sockets, including MacOSX, BSD and Linux, network interfaces are re-scanned automatically whenever they change. Use “automatic-interface-scan no:” to disable this feature. Use “rndc scan” to trigger an interface scan manually.
- Threads are now enabled by default on most operating systems, including Linux. Operators who were not previously using threads may see some changes in behavior.
- “Named” now preserves the capitalization of names when responding to queries. For instance, a query for “example.com” may be answered with “example.COM” if the name was configured that way in the zone file. Some clients have a bug causing them to depend on the older behavior. Previously the case of the answer always matched the case of the query, rather than the case of the name configured in the DNS. Such clients can now be specified in the new “no-case-compress” ACL: this will restore the older behavior of “named” for those clients only.
We would like to thank everyone who alpha or beta tested the pre-releases, identified and reported bugs, contributed bug fixes or suggested new features. We would especially like to recognize those people who contributed code or assistance in creating the new features in 9.10.
Contributors to 9.10 new features
- Pierre Beyssac
- Ken Brownfield
- John Eaglesham
- Tony Finch
- Wilmer van der Gaast
- Vadim Goncharov
- Timothe Litt
- Peter Palfrader
- Kevin Sheehan
- Tim Tessier
- Vernon Schryver
Please accept our apologies if we have omitted anyone.