New features in BIND 9.6

Since BIND 9.5 was released in May 2008, many new features and improvements have been added to BIND. Over 125 changes have been made. The following are the highlights for the 9.6 release.

Full NSEC3 support

BIND 9.6 includes support for the NSEC3 record generation as defined in RFC 5155, DNS Security (DNSSEC) Hashed Authenticated Denial of Existence. As an alternative to NSEC, it can prevent walking DNSSEC zones (zone enumeration). It also permits gradual expansion of delegation-centric zones. (NSEC3 has an opt-out bit which lets the zone owner save overhead by skipping over signing delegations to unsigned children zones.)

NSEC3 is not recommended unless there is a pressing need for the features NSEC3 provides. It is expensive for both the server and the client. Most zones do not need the addition expense incured by the use of NSEC3.

Automatic zone re-signing

BIND 9 provides incremental re-signing support for dynamic zones and includes new options -- sig-signing-nodes and sig-signing-signatures -- to break up the amount of work performed when re-signing a zone.

libbind available as a separate download

The BIND 8 resolver library, libbind, has been removed from the BIND 9 distribution and is now available as a separate download. The build-time configure option for BIND 9, --enable-libbind, is now deprecated. Previously it was not built or installed by default.

Default PID file location

The default location for PID files changed from /var/run to /var/run/named/named.pid and /var/run/lwresd/lwresd.pid for improved chroot/setuid support.

This allows the owner of the containing directory to be set, for "named -u" support, and allows there to be a permanent symbolic link in the path, for "named -t" support.

New tool: dnssec-dsfromkey

Added a tool, dnssec-dsfromkey, to generate DS records from the DNSKEY contained in existing keyset or .key files. (The dnssec-signzone tool can also generate DS records, but this new tool, dnssec-dsfromkey, doesn't create a signed zone nor does it require a zone file.)

Support Cryptoki hardware

BIND can be built with OpenSSL's PKCS#11 support i.e. the Cryptographic Token Interface (Cryptoki). This can provide support for using an external security device, such as a Sun Crypto Accelerator, for hardware acceleration for generation of keys and cryptographic data and/or for protected key storage.

To build BIND with PKCS#11 support, first configure with the --with-pkcs11 option. For more details, see the new README.pkcs11 file included with the BIND 9.6 source.

New tool: dnssec-keyfromlabel

BIND 9 also adds the dnssec-keyfromlabel tool. It takes the label of a key pair in a Hardware Security Model (HSM) and constructs a DNS key pair for use by named and dnssec-signzone. This uses a hardware device that uses the PKCS#11 interface.

Default TTL with nsupdate

With nsupdate, you can now set or clear the default time to live for records to be added. Previously you had to specify the TTL on every update. See the new manual page about "ttl" for details.

Report build options

The named daemon will now log about build options on startup. And a new command-line option '-V' for named is also provided to show this information. For example:

$ /usr/local/bind/sbin/named -V
BIND 9.6.0 built with '--prefix=//usr/local/bind'

Randomize server selection on queries

As a security improvement to make forgery a little more difficult, BIND 9.6 now attempts to make the order of the server selection for queries less predictable. Previously, BIND would prefer to query the server with the lowest round trip time (RTT). Now servers that haven't been tried yet have their RTT set to a random value between 0 ms and 7 ms. And the RTT values of servers which have been tried are now randomly changed up to 128 ms.

Specify max sockets on named command line

The named command has a new option -S for specify the maximum number of sockets. This may be used to override the system's defined number of file descriptors (FD_SETSIZE). This may be needed on some systems to support more listening sockets due to unique query ports. This option is unnecessary and maybe even harmful for most systems -- read the new manual page for details.

DNSSEC Zone Key Tool included in contrib

BIND 9.6 includes dnssec-zkt in the source at contrib/zkt. The DNSSEC Zone Key Tool provides commands to create and list DNSSEC zone keys, sign zones, do resigning, and automate key rollovers. They are wrappers around BIND9's dnssec-keygen(8) and dnssec-signzone(8) tools. The official homepage and more information is at http://www.hznet.de/dns/zkt/. Thank you to Holger Zuleger for providing this code and providing under a BSD license.

max-cache-size 0;

The max-cache-size option was reverted to 0, the previous default. This means that records are purged from the cache only when their TTLs expire.

Improved query port randomization performance

On support platforms, BIND is compiled with kqueue, epoll, or /dev/poll support (instead of using generic polling routines). This helps "named" be more scalable for polling file descriptors.