Yesterday afternoon, ISC published the first alpha release of BIND 9.9.0. This is an early technology preview, showing off some of the work we’ve been doing in BIND 9.
There will be more new features added in later alpha releases, but here’s what’s ready to debut now…
The big new item in 9.9.0a1 is NXDOMAIN redirection. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of “no such domain”. This enables a recursive operator, for example, to provide alternate suggestions for misspelled domain names. (Names that are in DNSSEC-signed domains are exempted from this when validation is in use.)
In addition to the start-up performance improvements that have already been released in BIND 9.8.1, BIND 9.9.0 improves query throughput on multi-processor systems by allowing multiple threads to listen for and process incoming queries.
There have been several changes to improve DNSSEC usability:
- Zones that were signed automatically via the ‘auto-dnssec’ option used to use NSEC by default, but could be switched to NSEC3 afterward. It is now possible to set NSEC3 parameters in these zones before they sign, skipping the NSEC3 step entirely.
- The ‘dnssec-signzone -D’ option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put “$INCLUDE example.com.signed” into the zonefile for example.com, run ‘dnssec-signzone -SD example.com’, and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch.
- The ‘dnssec-signzone -X’ option allows signatures on DNSKEY records to have a different expiration date from other signatures. This makes it more convenient to keep your KSK on a separate system, and resign the zone with it less frequently.
- A new ‘-L’ option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel sets the default TTL for the DNSKEY record.
- The ‘dnssec-signzone -R’ option forces removal of signatures that are not expired but were created by a key which no longer exists.
- dnssec-dsfromkey can now read from standard input, making it easier to convert DNSKEY records to DS. For example, to get the DS records for isc.org, all that is necessary is:
dig dnskey isc.org | dnssec-dsfromkey -f - isc.org
(And stay tuned for BIND 9.9.0a2, which will include a new ‘inline-signing’ option, allowing “bump in the wire” signing.)
- The ‘also-notify’ option now takes the same syntax as ‘masters’, so you can use named lists of servers, and specify TSIG keys.
- The ‘serial-update-method’ option allows dynamic zones to have their SOA serial number set to the current UNIX time if desired, rather than simply incrementing the serial number with each change to the zone.
- The ‘rndc flushtree’ command clears all data under a given name from the DNS cache. So, for example, “rndc flushtree example.com” will not only remove example.com from the cache, but also www.example.com, mail.example.com, and so on.
- The ‘rndc sync’ command dumps pending changes in a dynamic zone to disk without having to go through a freeze/thaw cycle.
- ‘rndc freeze’ and ‘rndc thaw’ no longer remove the zone’s journal file; this makes it possible to use ixfr-from-differences with a dynamic zone.