New Features in BIND 9.9 -- released 29 Feb, 2012
This feature greatly simplifies the deployment of DNSSEC by allowing completely automatic, fully transparent signing of zones. Using the new 'inline-signing' option in a master server allows named to switch on DNSSEC in a zone without modifying the original zone file in any way. Using it in a slave server allows a zone to be signed even if it's served from a master database that doesn't support DNSSEC.
Some example configurations may be found at
This is a mechanism for resolver operators to redirect users when a query would have otherwise resulted in "no such domain". This allows an ISP, for example, to provide alternate suggestions for misspelled domain names. (Whenever DNSSEC validation is requested by the client and requested name is in a DNSSEC-signed domain, NXDOMAIN redirection will not take place.)
Multiprocessing Performance Improvements
When built with thread support and when running on multicore UNIX or Linux systems, named can now use multiple threads to listen for incoming UDP traffic. On some architectures, this allows a significant improvement in query performance.
Further information at:
This release includes a substantially reworked recursive client management system, improving hardware scalability. Prior releases showed some degradation in performance when running with more than eight processor cores.
Startup and Reconfiguration Performance Improvements
BIND 9.9 includes a fix that greatly improves startup performance on authoritative systems using large numbers of zones. The zone task table is sized based on the number of configured zones; previously it used a hard-coded size. Customers have reported speedups ranging from 3x to 20x as a result of this fix.
Slave zones are now cached in raw (binary) format instead of text format by default; this cuts load time for slave zones by roughly 50%.
'rndc reconfig' has been modified to minimze the time during which name service is interrupted.
Improved RNDC Commands
The new 'rndc flushtree' command clears the DNS cache of all names beneath a specified name.
'rndc freeze' and 'rndc thaw' no longer remove a zone's journal file; this allows 'ixfr-from-differences' to be used with dynamic zones. To sync and remove a journal file, use 'rndc sync -clean'.
General DNSSEC Improvements
The new 'rndc signing' command provides greater visibility and control of the automatic DNSSEC signing process. When a zone is being signed by named, records are inserted into the zone indicating which keys are currently in the process of signing and which have finished (this enables named to resume the process correctly if there is a crash before the zone is fully signed). With 'rndc signing' it is possible to view this status information, remove the records indicating that signing is complete.
'rndc signing' also allows configuration of the NSEC3 parameters of a zone. This can be done even before a zone is signed, enabling named to sign zones with NSEC3 without the need to use NSEC first.
The 'also-notify' option now takes uses the same syntax as the 'masters' option. This allows, for example, TSIG keys to be specified for use with notifies.
The new 'serial-update-method' option allows you to choose, in dynamic zones, whether changes should cause the SOA serial number to be incremented by one, or set to the current time.
Do you want to learn even more? Listen to our Webinar recordings by selecting that link on the following pages:
BIND 9.9 & DNSSEC Inline Signing Webinar
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC
No recent topics found