BIND 9.5 offers many new features, including many behind-the-scenes improvements. For the most part, the non-visible features help ISC's customers who have run into the upper-end of what BIND 9.4 could handle.
BIND 9.5 adds many statistics counters, now including all counters that were available in BIND 8 and are meaningful in BIND 9. For details, read the BIND9 Statistics and Statistics Counters sections in the ARM.
BIND 9.5 adds a statistics server. This server provides basic data in XML format about the health of a BIND 9 server, and is intended for operators to access. It is very simplistic at this point and this feature may change based on our research and feedback from community. We plan on adding more detailed statistics. You can use the optional ACL or we recommend that the access be limited to localhost (127.0.0.1), a private wire interface (something internal, such as 10.x.y.z), or be firewalled using standard firewall technology. To enable the statistics, one must do two things:
1. Ensure that BIND 9.5 was compiled and linked with libxml2. This will appear in the output of ./configure as:
checking for libxml2 library... yes
2. Add a new statement in named.conf such as:
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
(You may want to enable zone-statistics too.)
The data is available via HTTP. Using the above example, it can be accessed via a XML stylesheet capable web browser at http://127.0.0.1:8053/. Note that we don't directly support or expect to use HTML: we return XML data. This is intended to be processed by scripts, monitoring applications, or other tools, not by a web browser. We support the HTML-style output only as a debugging tool.
For further details, read the ARM.We have added two cache cleaning changes. One of these affects all cache users, while another affects users with caches that hit their configured memory limits. We have added a default cache size. Previously this was set to '0' which means unlimited; it is now set to 32 MB by default. This value was chosen somewhat by committee, and should be sufficient for most uses. This can be changed with the max-cache-size options statement.
The Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS is documented in RFC 3645. It is an update for Secret Key Transaction Authentication. GSS-TSIG is the authentication mechanism of choice for DNS dynamic update in Microsoft Active Directory. It can be used to allow the named server to act as the DNS server for an Active Directory zone. GSS-TSIG is a composite of GSSAPI and TSIG -- a wrapper layer built on top of a wrapper layer. The common usage is DNS wrapping TSIG wrapping GSSAPI wrapping SPNEGO wrapping Kerberos 5 -- thus for practical purposes it's a mechanism for using Kerberos 5 to authenticate DNS.
This new record type is used for encoding DHCP information and DHCP servers and clients use it to identify DHCP clients with a DNS name with a strategy of reducing conflicts in the use of fully-qualified domain names. The data is a one-way SHA-256 hash computation. More details are in RFCs 4701 and 4703.
EDNS (Extension Mechanisms for DNS) have been available for around eight years and many servers (and all root servers) support it. Some firewalls don't support EDNS by default, some authoritative servers fail to respond to EDNS queries (instead of returning an required error), and timeouts also may be caused by network problems, dead servers, broken middle boxes, and broken authoritative servers. BIND 9.5 makes fallback to plain DNS from EDNS due to timeouts more visible.
On timeouts, "named" retries EDNS with a 512 octet UDP size (which usually allows EDNS to get through a firewall as it is generally not fragmented and is within the sizes allowed by plain DNS) and then tries plain DNS if still needed. The server logs this to draw attention to the issue and to get any non-RFC compliant boxes replaced or re-configured. The following is suggested for BIND administrators for EDNS: