We have removed a number of workarounds and custom “fix-ups” for broken, non-compliant and obsolete operating systems. Some of these workarounds add significant complexity, due to the need to watch for and handle exceptions. Most of these workarounds are virtually untestable, which means that over time they become liabilities with no utility for most users.
Workarounds for servers that misbehave when queried with EDNS have been removed, because these broken servers and the workarounds for their noncompliance cause unnecessary delays, increase code complexity, and prevent deployment of new DNS features. See https://dnsflagday.net for further details.
Operating Systems and Library Support
We have removed support for operating systems that do not support the IPv6 api and POSIX threads in the system library.
BIND may no longer run on some older versions of popular operating systems, and operating systems that are no longer maintained. We don’t have the ability to test on HP/UX, AIX, older Solaris or Sparc machines in-house any longer. We are also unwilling to maintain a lot of special code to adjust for modern OS features that are missing on those platforms. We are willing to consider contributed patches to help keep these systems working, if they are still supported by their respective vendors.
We are removing support for algorithms no longer considered secure. We have already removed support for the ECC-GOST algorithm, and we will remove support for the DSA algorithm. We no longer support versions of OpenSSL prior to 1.0.0 and we strongly recommend using supported OpenSSL version 1.0.2, or 1.1.0, or LibreSSL. OpenSSL (or a compatible library) is now required to compile BIND.
We are adopting C99 as our minimum coding standard, and have updated some functions that predated C99. We also decided to take advantage of widely available atomic operations support in C11 compilers and remove the older BIND custom code. (We are relying on a shim for atomic operations support in Windows, however.)
We have removed support for IDNA2003 fallbacks and we only support idnA2008 now. This affects BIND tools such as
dig and not BIND itself.
Going forward, to compile and run BIND successfully, you will need:
- A C99-compatible compiler with atomic operations support (C11 stdatomic, or __atomic, or __sync builtins with GCC or Clang compilers, and Interlocked functions with MSVC).
- A cryptography library (either OpenSSL, LibreSSL or an HSM with a PKCS#11 interface for public-key cryptography).
- A POSIX-compliant system with support for threads.
- Support for IPv6 in the operating system, even if you aren’t using IPv6 currently. (We had extra checks to determine whether IPv6 was available in the system that we have removed. We need to protect against the case where BIND features are enabled that require IPv6 and the operating system doesn’t support it.)
In addition to this modernization and cleanup, we have made a few small feature changes.
- We now spread the initial RRSIG expiration times more evenly over the entire working sig-validity-interval when signing a zone in
named to smooth out re-signing and transfer loads. This will help signature maintenance for very large signed zones.
- We have added a new
validate-except option which specifies a list of domains beneath which DNSSEC validation should not be performed. This is effectively a long-term Negative Trust Anchor (NTA).