BIND 9.3.
Legal Notices © Copyright 2003, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 BIND 9.3.2 Release Notes...........................................................................4 Announcement.........................................................................................................................4 What is in this version...............................................................................................................4 BIND 9.3.2 features..............................................................................................................
1 BIND 9.3.2 Release Notes This document discusses the most recent product information pertaining to Berkeley Internet Name Domain (BIND) 9.3.2. It also discusses how to install BIND 9.3.2 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • “Announcement” (page 4) • “What is in this version” (page 4) • “BIND 9.3.2 features” (page 4) • “Changed features” (page 11) • “Installing BIND 9.3.
• “New options to enable and disable IXFR” (page 9) • “Transition support for IPv4 and IPv6” (page 9) • “New commands in the rndc utility” (page 10) • “New option in the zone statement” (page 10) • “New command-line options” (page 10) • “Supports RFC 4193 (Unique local IPv6 unicast addresses)” (page 11) DNSSEC implementation based on RFC 4033, 4034, and 4035 Starting with BIND 9.3.
For more information on the new DNSSEC options, see named.conf(1) • New DNSSEC statement in the options statement BIND 9.3.2 contains trusted-keys, a new DNSSEC statement in the options statement located in /etc/named.conf file. The trusted-keys statement defines DNSSEC security roots. A security root is defined when the public key for a non-authoritative zone cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned.
Where: acl1 specifies the name of the list of master name servers. New options in the Options statement Table 3 lists the new options added in the options statement.
Table 3 New Options in the Options Statement (continued) Option Description querylog Specifies whether query logging must be started when named starts. If querylog is not specified, query logging is determined by the presence of the logging category queries. disable-algorithms Disables the DNSSEC algorithms at and below the specified name. Multiple disable-algorithms statements are allowed. However, only the most specific disable-algorithms option is applied.
Application and Support). The check-names option checks the names of the owner names of A, AAAA, and MX records and also checks domain names in the RDATA of NS, SOA, and MX records. It also applies to the RDATA of PTR records where the owner name indicates that it is a reverse lookup of a hostname (the owner name ends with in-addr.arpa, ip6.arpa, or ip6.int). The default value of the check-names option depends on the usage area. For master zones, the default value is fail.
New commands in the rndc utility The following are new commands in the remote name daemon control (rndc) utility: • retransfer zone [class [view]] This command enables you to retransfer the given zone from the master name server. • freeze zone [class [view]] This command enables you to suspend updates to a dynamic zone and enables you to edit a zone that is usually updated dynamically.
Table 5 New Command-Line Options (continued) Binaries/Tools Options Description named-checkzone -n mode Specifies if name server (NS) records must be checked to verify whether they are addresses. The values for this option are fail, warn, and ignore. The default value is warn. named-checkzone -o filename Writes the zone output to the directory named-checkzone -t directory Specifies the directory under which the named-checkzone command is chrooted.
supports only RSASHA1 and DSA algorithms for DNSSEC. HMAC-MD5 and DH are also supported, in which case a KEY record is generated instead of a DNSKEY record. The -k option must be used to generate a KEY record. • • ◦ In BIND 9.3.2, the key file supplied to nsupdate using the -k option must contain a key of the type KEY and not DNSKEY. ◦ The dnssec-signzone command creates the db..signed file, which contains the NSEC (corresponding to the NXT record in 9.2.
2. Go to the HP Software Depot website at: http://h20293.www2.hp.com/ 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Use the Search button to browse for BIND. The product catalog page is displayed. Select BIND in the product catalog. The BIND page is displayed. Read the “Overview” and “Installation” pages for BIND. Select the Receive for Free>> option at the bottom right of any of these pages. Select the appropriate release of HP-UX operating system. Enter the registration information.
Verifying the BIND 9.3.2 installation To verify whether the BIND 9.3.2 depot is installed successfully on your system, enter the following command at the HP-UX prompt: # swlist -l product If BIND 9.3.2 is installed properly, the following output is displayed: • On an HP-UX 11i v1 operating system # Initializing... # Contacting target "hostname"... # # Target: hostname:/ # BindUpgrade C.9.3.2.7.0 BIND special release upgrade • On an HP-UX 11i v2 operating system # Initializing...
Related information The following sections discuss the documentation available for BIND 9.3.2. Manpages Table 8 describes the manpages distributed with the BIND 9.3.2 depot. Table 8 BIND 9.3.2 Manpages Manpage Description dnssec-keygen(1) Tool to generate keys for DNSSEC dnssec-signzone(1) Tool to sign the DNSSEC zone host(1) Utility for DNS lookup named-checkconf(1) Tool to check the syntax of the named configuration file named-checkzone(1) Tool to check the validity of a zone nslookup.
Defects fixed in the HP-UX 11i v1 and HP-UX 11i v2 operating systems Table 9 lists the defects fixed in BIND 9.3.2 in both the HP-UX 11i v1 and HP-UX 11i v2 operating systems. Table 9 Defects Fixed in both HP-UX 11i v1 and HP-UX 11i v2 Operating Systems Identifier Description Defects fixed in BIND 9.3.2 (C.9.3.2.7.0) QXCR1000952300 The named daemon does not behave as expected for certain messages.
Table 9 Defects Fixed in both HP-UX 11i v1 and HP-UX 11i v2 Operating Systems (continued) Identifier Description JAGag07595 BIND 9.x does not handle AXFR/IXFR responses properly in certain scenarios. JAGaf71605 BIND 9.3.2 must be enabled on the HP-UX 11i v1 and v2 operating systems. Defects fixed in the HP-UX 11i v3 operating system Table 10 lists the defects fixed in BIND 9.3.2 in the HP-UX 11i v3 operating system.
Table 10 Defects Fixed in the HP-UX 11i v3 Operating System (continued) Identifier Description Defects fixed in BIND 9.3.2 (C.9.3.2.1.0) 18 JAGag41036 named(1M) fails with an "out of memory" error message if the size of the cache memory exceeds 1 GB. JAGag45362 Query ID generation is cryptographically weak. JAGag32951 named(1M) does not handle queries of type ANY properly. JAGag32950 named(1M) unexpectedly aborts under certain circumstances. BIND 9.3.
