BIND 9.2.0 Release Notes HP-UX 11.0 Manufacturing Part Number: 5991-0759 December 2004 United States © Copyright 2004 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Printed in the US Confidential computer software. Valid license from HP required for possession, use or copying.
Contents 1. New Features BIND 8.1.2 Features Supported on HP-UX 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 New BIND 9.2.0 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Incremental Zone Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Installing BIND 9.2.0 on HP-UX 11.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3. Documentation Man Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4. Known Problems, Limitation and Defect Fixes Known Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Limitation. . . . . . . . . . . . . . . . . . . . . . . . .
1 New Features BIND 9.2.0 is available on the HP-UX 11.0 platform as a Web upgrade. BIND 9.2.0 supports most of the features available in previous versions of BIND, with additional features.
New Features BIND 8.1.2 Features Supported on HP-UX 11.0 BIND 8.1.2 Features Supported on HP-UX 11.0 This section lists the BIND 8.1.2 features that are supported on the HP-UX 11.0 operating system: • DNS change notification (DNS Notify) (RFC 1996) • Support for dynamic DNS update • Improved logging system • Improved efficient zone transfers • New configuration syntax in the /etc/named.conf file. For information on these features, refer to the BIND 8.1.
New Features New BIND 9.2.0 Features New BIND 9.2.0 Features The following lists the new BIND 9.2.0 features that are supported on the HP-UX 11.
New Features New BIND 9.2.0 Features When acting as a slave, BIND 9.2.0 attempts to use IXFR unless it is explicitly disabled. Following are the options statements to enable or disable IXFR: [provide-ixfr yes_or_no;] [request-ixfr yes_or_no;] You can manually set these options to yes or no in the /etc/named.conf configuration file. You can also exclude these options from the /etc/named.conf configuration file.
New Features New BIND 9.2.0 Features Validation for wild card records in secure zones is not fully supported. In particular, a name does not exist response validates successfully even if it does not contain the NXT records to prove the existence of a matching wild card. Generating a Key The /usr/bin/dnssec-keygen program is used to generate keys. Following is a sample directive to invoke the dnssec-keygen program to generate a 768-bit DSA key for the domain example.
New Features New BIND 9.2.0 Features Signing the Child’s Keyset The /usr/bin/dnssec-signkey program is used to sign a keyset for a child zone. # /usr/bin/dnssec-signkey example.com.keyset Kcom.+003+51944 The output of the above command is a file named example.com.signedkey, which has the keys for example.com signed by the com zone’s zone key. Signing the Zone The /usr/bin/dnssec-signzone program is used to sign a zone. Following is a sample directive to invoke the dnssec-signzone to sign the zone, example.
New Features New BIND 9.2.0 Features NOTE You must not manually edit zone files of dynamic zones because the changes can cause conflict with dynamic updates. Use the nsupdate utility to submit dynamic DNS update requests to a name server. TSIG-Based Security To secure a server-to-server communication, BIND 9.2.0 primarily uses TSIG. This includes zone transfer, notify, and recursive query messages. TSIG is most useful for dynamic updates.
New Features New BIND 9.2.0 Features file go to the default channels or to standard error if you have specified the -g option. The log files are no longer dumped in the /var/tmp directory, and are put in the local directory. Extended Configuration Syntax and Options The BIND 9.2.0 configuration is similar to BIND 8.1.2; however, there are a few new areas of configuration, such as views. You can modify a BIND 9.2.0 configuration file to get a BIND 8.1.2 configuration file.
New Features New BIND 9.2.0 Features This option is used to specify maximum time to cache negative answers. Default is 3 hrs. This value should not exceed 7 days and will be truncated to 7 days if a longer time period is specified. • transfer-source This option specifies the IPv4 address to use for inbound zone updates, which is also the source address to use for refresh queries and forwarded dynamic updates.
New Features New BIND 9.2.0 Features "tkey-domain". Otherwise, the name of the shared key will be "random hex digits" + "tkey-domain". In most cases, the domain name must be the server’s domain name. • tkey-dhkey This option is used to specify the Diffie-Hellman key used by the server to generate shared keys for clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory.
New Features New BIND 9.2.0 Features This option is used to specify a list of addresses from which the server will not accept queries or and does not use them to resolve a query. Default is none. The syntax of blackhole option in the “options” statement in the /etc/named.conf file is as shown below: [ blackhole {address_match_list {; ] • coresize This option is used to specify the maximum size of a core dump. Default is default. The syntax of coresize option in the “Options” statement in the /etc/named.
New Features New BIND 9.2.0 Features prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default is unlimited, meaning that records are purged from the cache only when their TTLs expire. New Option in “server” Statement The bogus option can be used to prevent queries to a remote server which is giving out invalid data. The default value of bogus is no.
New Features New BIND 9.2.0 Features • max-transfer-idle-out This option is used to specify the time period for which Outbound zone transfers are idle. Default is 60 mins. • sig-validity-interval This option is used to specify the expiry time of DNSSEC signature that is automatically generated as a result of updates. Default is 30 days. • match-clients This option is used to specify the IP addresses of the namespace defined by each view statement.
New Features New BIND 9.2.0 Features 14. max-ncache-ttl 15. transfer-format 16. transfer-source 17. request-ixfr 18. provide-ixfr 19. cleaning-interval 20. key 21. server 22. trusted-keys 23. sig-validity-interval An example of View (split DNS setup) is as shown below: view “internal” { // This should match our internal networks match-clients { 10.0.0.0/8; }; // Provide recursive service to internal clients only recursion yes; // Provide a complete view of the example.
New Features New BIND 9.2.0 Features • forwarders This option can be used to specify the IP addresses to be used for forwarding. The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external nameservers. This facility also allows queries by servers that do not have direct access to the Internet, but wish to look up exterior names.
New Features New BIND 9.2.0 Features named-checkzone This utility is used to perform syntax and consistency checks on the contents of a zone. named-checkzone is run on the command line as: /usr/sbin/named-checkzone [-dq] [-c] class] zone [filename] Where -d is used to enable debugging. -q is used to enable quiet mode for exit code only. c class is used to specify the class of the zone. zone specifies the zone whose contents need to be checked.
New Features New BIND 9.2.0 Features and command is one of the following: Table 1-1 rndc commands Command Chapter 1 Description reload reload configuration file and zones reload zone [class [view]] reload the given zone refresh zone [class [view]] schedule zone maintenance for the given zone stats write serve statistics to the statistics file querylog toggle query logging dumpdb dump the current contents of the cache into the file specified by the dump-file option in named.conf.
New Features New BIND 9.2.0 Features NOTE Refer to the rndc(1) man page for more information. A sample rndc.conf file is distributed with this release of BIND. This file can be generated automatically by the rndc-confgen utility, which is distributed with BIND 9.2.0. For more information on rndc-confgen, read the rndc-confgen section above. rndc has its own configuration file /etc/rndc.conf.
New Features New BIND 9.2.0 Features rndc-confgen is run on the command line as: rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user ] Where “-a” option is used to configure rndc automatically. This creates a file rndc.key in /etc which is read by both rndc and named on start-up. “-b keysize” is used to specify the size of the authentication key in bits. The value must range between 1 and 512. Default is 128 bits.
New Features New BIND 9.2.0 Features New Command Line Options Table 1-2 lists the new command line options that have been added for the various binaries and tools in BIND 9.2.0. Table 1-2 New Command Line Options Binaries/Tools 24 Options Usage dig -b Set the source IP address of the query to address. This must be a valid address on one of the host’s network interfaces. dig -k Sign the DNS queries sent by dig and their responses using transaction signatures (TSIG).
New Features New BIND 9.2.0 Features Table 1-2 New Command Line Options (Continued) Binaries/Tools Chapter 1 Options Usage dnssec-signkey -s start-time Specify the data and time when the generated SIG records become valid. This can be either an absolute or relative time. If no start-time is specified, the current time will be used. dnssec-signzone -d directory Look for signedkey files in directory as the directory.
New Features New BIND 9.2.0 Features Table 1-2 New Command Line Options (Continued) Binaries/Tools 26 Options Usage dnssec-signzone -t Print the performance statistics at the time of completion. named -v Report the version number and exit. named-checkconf -t chroot to directory to process include directives in the configuration file as if it is run by a similarly chrooted named. named-checkconf -v Print the version number of named-checkconf and exit.
New Features New BIND 9.2.0 Features Table 1-2 New Command Line Options (Continued) Binaries/Tools Chapter 1 Options Usage nsupdate show Display the current message, containing all the pre-requisites and updates specified since the last send operation. rndc -k keyname This option is used to specify the key name of the rndc authentication key. This must be a valid domain name. Default is rndc-key.
New Features Changed Features Changed Features This section describes the changed features in BIND 9.2.0. HP-specific Options The following lists the HP-specific options added in BIND 9.2.0: • noforward This option cannot be specified in “options” statement in BIND 9.2.0. Instead, forwarding can be suppressed by including an empty forwarders sub-statement as shown in the following example: options { forwarders { 192.249.249.1; }; } zone “hp.com” { type slave; masters { 192.249.249.4; }; file “db.
New Features Changed Features If this option is specified as yes, then the AA bit is always set on NX domain responses, even if the server is not actually authoritative. The default value for this option has been changed from “yes” to “no”.
New Features Unsupported Features Unsupported Features This section lists and describes the BIND 8.1.2 options that are not supported in BIND 9.2.0: • named-xfer This option is obsoleted because it is a part of the named binary. • memstatistics-file This option is obsoleted in this release as the option "deallocate-on-exit" is always enabled and checks for the memory leaks. • statistics-file This option is not supported in this release as it uses a huge amount of memory and degrade the response time.
New Features Unsupported Features This option was used in BIND 8.1.2 to log statistics of the nameserver at regular intervals. The logging consumes a lot of memory and degrades the response time. • multiple-cnames This option was used in BIND 8.1.2 to allow multiple CNAME records in violation of the DNS standards. BIND 9.2.0 strictly enforces the CNAME rules both in master files and dynamic updates.
New Features Unsupported Features • rfc2308-type1 yes_or_no If this option is set to yes, the server sends NS records along with the SOA record for negative answers. The default is no. • min-roots This option specifies the minimum number of root servers that is required for a request for the root servers to be accepted. Default is 2. • unix This option in controls statement is not supported in BIND 9.2.0.
2 Installation Information Read this chapter before installing BIND 9.2.0 on HP-UX 11.0.
Installation Information System Requirements System Requirements The following lists the system requirements to install BIND 9.2.0: 34 • Hewlett-Packard 9000 System • HP-UX operating system version 11.
Installation Information Migrating from Previous Versions of BIND Migrating from Previous Versions of BIND The following sections describe how to migrate from previous versions of BIND to BIND 9.2.0. From 4.9.7 to 9.2.0 A shell script, “named-bootconf.sh” is provided with BIND 9.2.0 in the /usr/bin directory to convert the BIND 4.9.7 configuration file to BIND 9.2.0-compliant configuration file. The following steps describe how to convert the existing /etc/named.boot file to the BIND 9.2.
Installation Information Migrating from Previous Versions of BIND From 8.1.2 to 9.2.0 BIND 9.2.0 expects the db files in a slightly different format compared to the previous versions. A shell script "change2v9db.sh" is provided with BIND 9.2.0 to convert the existing db files to BIND 9.2.0-compliant db files. The shell script is installed in the /usr/bin directory. The following steps describe how to convert the db files to BIND 9.2.0-compliant db files: 1. cd to the directory where the db files exist. 2.
Installation Information Compatibility with Previous Versions of BIND Compatibility with Previous Versions of BIND This section provides the BIND 9.2.0 compatibility information. BIND 4.9.7 Compatibility This section discusses the BIND 9.2.0-BIND 4.9.7 compatibility. • BIND 9.2.0 uses a system assigned port for the UDP queries it makes rather than port 53 that BIND 4.9.7 uses. This may conflict with some firewalls. To specify a port, edit the /etc/named.
Installation Information Compatibility with Previous Versions of BIND • Outgoing zone transfers now use the "many-answers" format by default.This format is not understood by certain old versions of BIND 4.9.7.This problem can be resolved by using the option "transfer-format one-answer;", but HP recommends upgrading the slave servers. BIND 8.1.2 Compatibility This section discusses the BIND 9.2.0-BIND 8.1.2 compatibility. • Configuration file compatibility — BIND 9.2.
Installation Information Installing BIND 9.2.0 on HP-UX 11.0 Installing BIND 9.2.0 on HP-UX 11.0 BIND 9.2.0 is available as a web release on HP-UX 11.0 platform at HP’s software depot at www.software.hp.com. After downloading the software package, use the swinstall command to install the package on your system. Detailed information on how to use BIND 9.2.0 can be found in the respective man pages. Step1 If you have installed BIND 8.1.2 on your system, use swremove command to remove the old web upgrade.
Installation Information Installing BIND 9.2.0 on HP-UX 11.0 disable BIND 9.2.0 by running the command "/usr/bin/enable_inet -r bind" on the command line to revert back to the base version delivered with HP-UX 11.0 (BIND 4.9.7) prior to patching. If you have installed BIND 9.2.0 on your system, use the swremove command to remove BIND 9.2.0 before installing or removing any old version of BIND.
3 Documentation This chapter discusses the product documentation that is distributed with BIND 9.2.0.
Documentation Man Pages Man Pages BIND 9.2.0 documentation is available through its man pages. Table 3-1 lists and describes the man pages distributed with BIND 9.2.0. Table 3-1 Man Pages Man Page 42 Description named.1m Internet domain name server dnssec-keygen.1 Key generation tool for DNSSEC dnssec-makekeyset.1 Program used to produce a set of DNS keys. dnssec-signkey.1 DNSSEC keyset signing tool dnssec-signzone.1 DNSSEC zone signing tool host.1 DNS lookup utility nslookup.
Documentation Man Pages Table 3-1 Man Pages (Continued) Man Page Chapter 3 Description rndc-confgen.1 rndc key generation tool named-conf.
Documentation Man Pages 44 Chapter 3
4 Known Problems, Limitation and Defect Fixes This chapter discusses the known problems and limitations in BIND 9.2.0.
Known Problems, Limitation and Defect Fixes Known Problems Known Problems The following are the known problems in BIND 9.2.0: NOTE • In BIND 9.2.0, if duplicate data is available for a query, the duplicate data will not be dropped. • Use of wildcard address "*" in "query-source address * port 53;" may not work as expected. Instead of the wildcard address "*", you need to use an explicit source IP address.
Known Problems, Limitation and Defect Fixes Limitation Limitation The following is the limitation in BIND 9.2.0: • Chapter 4 The rndc dump.db command dumps only the cache information. You can run dig axfr command to obtain the db file information.
Known Problems, Limitation and Defect Fixes Defect Fixes Defect Fixes Table 4-1 lists and describes the defects fixed in this release of BIND: Table 4-1 Defect Matrix Defect # 48 Description CR JAGaa31678 DoCoMo Performance changes on 11.0 CR JAGad78349 "logging" statement in named.conf does not work with longer log filename.
Known Problems, Limitation and Defect Fixes Defect Fixes Table 4-1 Defect Matrix (Continued) Defect # Description CR JAGae33027 named is not handling ENOSR error when writing to the internal control pipe. CR JAGae33084 A buffer-length based computational error exists in nslookup. CR JAGae37800 Openssl not working properly. CR JAGae69740 named does not handle large domain names properly. CR JAGae69742 named handles certain valid octal bit labels incorrectly.
Known Problems, Limitation and Defect Fixes Defect Fixes Table 4-1 Defect Matrix (Continued) Defect # CR JAGae97983 Description In multithreaded environment, named may abort with an assertion failure. The error reported in syslog is as follows: critical: lib/dns/name.c:3200: REQUIRE((((name) != 0L) && (((const isc__magic_t *)(name))->magic == (((’D’) << 24 |(’N’) << 16 | (’S’) << 8 | (’n’)))))) failed Sep 11 15:54:09.
Known Problems, Limitation and Defect Fixes Defect Fixes Table 4-2 lists BIND 9.2.0 defect fixes that are ported back from new versions of BIND. Table 4-2 Backported Defects Version Number BIND 9.2.4 Defect Number JAGaf09745 JAGaf06536 BIND 9.2.3 JAGae70323 JAGae97983 BIND 9.2.2 JAGaf40799 JAGae08966 JAGae69740 BIND 9.2.
Known Problems, Limitation and Defect Fixes Defect Fixes 52 Chapter 4
