"Fossies" - the Fresh Open Source Software Archive

Member "README" (7 Sep 2020, 27528 Bytes) of package /linux/misc/dns/bind9/9.11.23/BIND9.11.23.x64.zip:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 README
    2 
    3 BIND 9
    4 
    5 Contents
    6 
    7  1. Introduction
    8  2. Reporting bugs and getting help
    9  3. Contributing to BIND
   10  4. BIND 9.11 features
   11  5. Building BIND
   12  6. macOS
   13  7. Dependencies
   14  8. Compile-time options
   15  9. Automated testing
   16 10. Documentation
   17 11. Change log
   18 12. Acknowledgments
   19 
   20 Introduction
   21 
   22 BIND (Berkeley Internet Name Domain) is a complete, highly portable
   23 implementation of the DNS (Domain Name System) protocol.
   24 
   25 The BIND name server, named, is able to serve as an authoritative name
   26 server, recursive resolver, DNS forwarder, or all three simultaneously. It
   27 implements views for split-horizon DNS, automatic DNSSEC zone signing and
   28 key management, catalog zones to facilitate provisioning of zone data
   29 throughout a name server constellation, response policy zones (RPZ) to
   30 protect clients from malicious data, response rate limiting (RRL) and
   31 recursive query limits to reduce distributed denial of service attacks,
   32 and many other advanced DNS features. BIND also includes a suite of
   33 administrative tools, including the dig and delv DNS lookup tools,
   34 nsupdate for dynamic DNS zone updates, rndc for remote name server
   35 administration, and more.
   36 
   37 BIND 9 is a complete re-write of the BIND architecture that was used in
   38 versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
   39 (c)(3) public benefit corporation dedicated to providing software and
   40 services in support of the Internet infrastructure, developed BIND 9 and
   41 is responsible for its ongoing maintenance and improvement. BIND is open
   42 source software licensed under the terms of ISC License for all versions
   43 up to and including BIND 9.10, and the Mozilla Public License version 2.0
   44 for all subsequent versions.
   45 
   46 For a summary of features introduced in past major releases of BIND, see
   47 the file HISTORY.
   48 
   49 For a detailed list of changes made throughout the history of BIND 9, see
   50 the file CHANGES. See below for details on the CHANGES file format.
   51 
   52 For up-to-date versions and release notes, see https://www.isc.org/
   53 download/.
   54 
   55 Reporting bugs and getting help
   56 
   57 To report non-security-sensitive bugs or request new features, you may
   58 open an Issue in the BIND 9 project on the ISC GitLab server at https://
   59 gitlab.isc.org/isc-projects/bind9.
   60 
   61 Please note that, unless you explicitly mark the newly created Issue as
   62 "confidential", it will be publicly readable. Please do not include any
   63 information in bug reports that you consider to be confidential unless the
   64 issue has been marked as such. In particular, if submitting the contents
   65 of your configuration file in a non-confidential Issue, it is advisable to
   66 obscure key secrets: this can be done automatically by using
   67 named-checkconf -px.
   68 
   69 If the bug you are reporting is a potential security issue, such as an
   70 assertion failure or other crash in named, please do NOT use GitLab to
   71 report it. Instead, send mail to security-officer@isc.org using our
   72 OpenPGP key to secure your message. (Information about OpenPGP and links
   73 to our key can be found at https://www.isc.org/pgpkey.) Please do not
   74 discuss the bug on any public mailing list.
   75 
   76 For a general overview of ISC security policies, read the Knowledge Base
   77 article at https://kb.isc.org/docs/aa-00861.
   78 
   79 Professional support and training for BIND are available from ISC at
   80 https://www.isc.org/support.
   81 
   82 To join the BIND Users mailing list, or view the archives, visit https://
   83 lists.isc.org/mailman/listinfo/bind-users.
   84 
   85 If you're planning on making changes to the BIND 9 source code, you may
   86 also want to join the BIND Workers mailing list, at https://lists.isc.org/
   87 mailman/listinfo/bind-workers.
   88 
   89 Contributing to BIND
   90 
   91 ISC maintains a public git repository for BIND; details can be found at
   92 http://www.isc.org/git/.
   93 
   94 Information for BIND contributors can be found in the following files: -
   95 General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
   96 style.md - BIND architecture and developer guide: doc/dev/dev.md
   97 
   98 Patches for BIND may be submitted as merge requests in the ISC GitLab
   99 server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
  100 
  101 By default, external contributors don't have ability to fork BIND in the
  102 GitLab server, but if you wish to contribute code to BIND, you may request
  103 permission to do so. Thereafter, you can create git branches and directly
  104 submit requests that they be reviewed and merged.
  105 
  106 If you prefer, you may also submit code by opening a GitLab Issue and
  107 including your patch as an attachment, preferably generated by git
  108 format-patch.
  109 
  110 BIND 9.11 features
  111 
  112 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
  113 releases. New features include:
  114 
  115   • Added support for Catalog Zones, a new method for provisioning
  116     servers: a list of zones to be served is stored in a DNS zone, along
  117     with their configuration parameters. Changes to the catalog zone are
  118     propagated to slaves via normal AXFR/IXFR, whereupon the zones that
  119     are listed in it are automatically added, deleted or reconfigured.
  120   • Added support for "dnstap", a fast and flexible method of capturing
  121     and logging DNS traffic.
  122   • Added support for "dyndb", a new API for loading zone data from an
  123     external database, developed by Red Hat for the FreeIPA project.
  124   • "fetchlimit" quotas are now compiled in by default. These are for the
  125     use of recursive resolvers that are are under high query load for
  126     domains whose authoritative servers are nonresponsive or are
  127     experiencing a denial of service attack:
  128       □ fetches-per-server limits the number of simultaneous queries that
  129         can be sent to any single authoritative server. The configured
  130         value is a starting point; it is automatically adjusted downward
  131         if the server is partially or completely non-responsive. The
  132         algorithm used to adjust the quota can be configured via the
  133         "fetch-quota-params" option.
  134       □ fetches-per-zone limits the number of simultaneous queries that
  135         can be sent for names within a single domain. (Note: Unlike
  136         fetches-per-server, this value is not self-tuning.)
  137       □ New stats counters have been added to count queries spilled due to
  138         these quotas.
  139   • Added a new dnssec-keymgr key maintenance utility, which can generate
  140     or update keys as needed to ensure that a zone's keys match a defined
  141     DNSSEC policy.
  142   • The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
  143     and is no longer optional. EDNS COOKIE is a mechanism enabling clients
  144     to detect off-path spoofed responses, and servers to detect
  145     spoofed-source queries. Clients that identify themselves using COOKIE
  146     options are not subject to response rate limiting (RRL) and can
  147     receive larger UDP responses.
  148   • SERVFAIL responses can now be cached for a limited time (defaulting to
  149     1 second, with an upper limit of 30). This can reduce the frequency of
  150     retries when a query is persistently failing.
  151   • Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
  152     skipped if a name server IP address isn't in the cache yet; the
  153     address will be looked up and the rule will be applied on future
  154     queries.
  155   • Added a Python RNDC module. This allows multiple commands to sent over
  156     a persistent RNDC channel, which saves time.
  157   • The controls block in named.conf can now grant read-only rndc access
  158     to specified clients or keys. Read-only clients could, for example,
  159     check rndc status but could not reconfigure or shut down the server.
  160   • rndc commands can now return arbitrarily large amounts of text to the
  161     caller.
  162   • The zone serial number of a dynamically updatable zone can now be set
  163     via rndc signing -serial <number> <zonename>. This allows
  164     inline-signing zones to be set to a specific serial number.
  165   • The new rndc nta command can be used to set a Negative Trust Anchor
  166     (NTA), disabling DNSSEC validation for a specific domain; this can be
  167     used when responses from a domain are known to be failing validation
  168     due to administrative error rather than because of a spoofing attack.
  169     Negative trust anchors are strictly temporary; by default they expire
  170     after one hour, but can be configured to last up to one week.
  171   • rndc delzone can now be used on zones that were not originally created
  172     by "rndc addzone".
  173   • rndc modzone reconfigures a single zone, without requiring the entire
  174     server to be reconfigured.
  175   • rndc showzone displays the current configuration of a zone.
  176   • rndc managed-keys can be used to check the status of RFC 5001 managed
  177     trust anchors, or to force trust anchors to be refreshed.
  178   • max-cache-size can now be set to a percentage of available memory. The
  179     default is 90%.
  180   • Update forwarding performance has been improved by allowing a single
  181     TCP connection to be shared by multiple updates.
  182   • The EDNS Client Subnet (ECS) option is now supported for authoritative
  183     servers; if a query contains an ECS option then ACLs containing geoip
  184     or ecs elements can match against the the address encoded in the
  185     option. This can be used to select a view for a query, so that
  186     different answers can be provided depending on the client network.
  187   • The EDNS EXPIRE option has been implemented on the client side,
  188     allowing a slave server to set the expiration timer correctly when
  189     transferring zone data from another slave server.
  190   • The key generation and manipulation tools (dnssec-keygen,
  191     dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync
  192     and -Dsync options to set the publication and deletion times of CDS
  193     and CDNSKEY parent-synchronization records. Both named and
  194     dnssec-signzone can now publish and remove these records at the
  195     scheduled times.
  196   • A new minimal-any option reduces the size of UDP responses for query
  197     type ANY by returning a single arbitrarily selected RRset instead of
  198     all RRsets.
  199   • A new masterfile-style zone option controls the formatting of text
  200     zone files: When set to full, a zone file is dumped in
  201     single-line-per-record format.
  202   • serial-update-method can now be set to date. On update, the serial
  203     number will be set to the current date in YYYYMMDDNN format.
  204   • dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
  205   • named -L <filename> causes named to send log messages to the specified
  206     file by default instead of to the system log.
  207   • dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
  208     for weeks, days, hours, minutes, and seconds.
  209   • dig +unknownformat prints dig output in RFC 3597 "unknown record"
  210     presentation format.
  211   • dig +ednsopt allows dig to set arbitrary EDNS options on requests.
  212   • dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
  213     requests.
  214   • mdig is an alternate version of dig which sends multiple pipelined TCP
  215     queries to a server. Instead of waiting for a response after sending a
  216     query, it sends all queries immediately and displays responses in the
  217     order received.
  218   • serial-query-rate no longer controls NOTIFY messages. These are
  219     separately controlled by notify-rate and startup-notify-rate.
  220   • nsupdate now performs check-names processing by default on records to
  221     be added. This can be disabled with check-names no.
  222   • The statistics channel now supports DEFLATE compression, reducing the
  223     size of the data sent over the network when querying statistics.
  224   • New counters have been added to the statistics channel to track the
  225     sizes of incoming queries and outgoing responses in histogram buckets,
  226     as specified in RSSAC002.
  227   • A new NXDOMAIN redirect method (option nxdomain-redirect) has been
  228     added, allowing redirection to a specified DNS namespace instead of a
  229     single redirect zone.
  230   • When starting up, named now ensures that no other named process is
  231     already running.
  232   • Files created by named to store information, including mkeys and nzf
  233     files, are now named after their corresponding views unless the view
  234     name contains characters incompatible with use as a filename. Old
  235     style filenames (based on the hash of the view name) will still work.
  236 
  237 BIND 9.11.1
  238 
  239 BIND 9.11.1 is a maintenance release, and addresses the security flaws
  240 disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
  241 CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
  242 and CVE-2017-3138.
  243 
  244 BIND 9.11.2
  245 
  246 BIND 9.11.2 is a maintenance release, and addresses the security flaws
  247 disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and
  248 CVE-2017-3143. It also addresses several bugs related to the use of an
  249 LMDB database to store data related to zones added via rndc addzone or
  250 catalog zones.
  251 
  252 BIND 9.11.3
  253 
  254 BIND 9.11.3 is a maintenance release, and addresses the security flaw
  255 disclosed in CVE-2017-3145.
  256 
  257 BIND 9.11.4
  258 
  259 BIND 9.11.4 is a maintenance release, and addresses the security flaw
  260 disclosed in CVE-2018-5738. It also introduces "root key sentinel"
  261 support, enabling validating resolvers to indicate via a special query
  262 which trust anchors are configured for the root zone.
  263 
  264 BIND 9.11.5
  265 
  266 BIND 9.11.5 is a maintenance release, and also addresses CVE-2018-5741 by
  267 correcting faulty documentation and introducing the following new feature:
  268 
  269   • New krb5-selfsub and ms-selfsub rule types for update-policy
  270     statements allow updating of subdomains based on a Kerberos or Active
  271     Directory machine principal.
  272 
  273 BIND 9.11.6
  274 
  275 BIND 9.11.6 is a maintenance release, and also addresses the security
  276 flaws disclosed in CVE-2018-5743, CVE-2018-5745, CVE-2018-5744, and
  277 CVE-2019-6465.
  278 
  279 BIND 9.11.7
  280 
  281 BIND 9.11.7 is a maintenance release, and also addresses the security flaw
  282 disclosed in CVE-2018-5743.
  283 
  284 BIND 9.11.8
  285 
  286 BIND 9.11.8 is a maintenance release, and also addresses the security flaw
  287 disclosed in CVE-2019-6471.
  288 
  289 BIND 9.11.9
  290 
  291 BIND 9.11.9 is a maintenance release, and also adds support for the new
  292 MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
  293 
  294 BIND 9.11.10
  295 
  296 BIND 9.11.10 is a maintenance release.
  297 
  298 BIND 9.11.11
  299 
  300 BIND 9.11.11 is a maintenance release.
  301 
  302 BIND 9.11.12
  303 
  304 BIND 9.11.12 is a maintenance release.
  305 
  306 BIND 9.11.13
  307 
  308 BIND 9.11.13 is a maintenance release, and also addresses the security
  309 vulnerability disclosed in CVE-2019-6477.
  310 
  311 BIND 9.11.14
  312 
  313 BIND 9.11.14 is a maintenance release.
  314 
  315 BIND 9.11.15
  316 
  317 BIND 9.11.15 is a maintenance release.
  318 
  319 BIND 9.11.16
  320 
  321 BIND 9.11.16 is a maintenance release.
  322 
  323 BIND 9.11.17
  324 
  325 BIND 9.11.17 is a maintenance release.
  326 
  327 BIND 9.11.18
  328 
  329 BIND 9.11.18 is a maintenance release.
  330 
  331 BIND 9.11.19
  332 
  333 BIND 9.11.19 is a maintenance release, and also addresses the security
  334 vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
  335 
  336 BIND 9.11.20
  337 
  338 BIND 9.11.20 is a maintenance release, and also addresses the security
  339 vulnerability disclosed in CVE-2020-8619.
  340 
  341 BIND 9.11.21
  342 
  343 BIND 9.11.21 is a maintenance release.
  344 
  345 BIND 9.11.22
  346 
  347 BIND 9.11.22 is a maintenance release, and also addresses the security
  348 vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and
  349 CVE-2020-8624.
  350 
  351 BIND 9.11.23
  352 
  353 BIND 9.11.23 is a maintenance release.
  354 
  355 Building BIND
  356 
  357 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
  358 basic POSIX support, and a 64-bit integer type. Successful builds have
  359 been observed on many versions of Linux and UNIX, including RHEL/CentOS,
  360 Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
  361 NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
  362 OpenWRT.
  363 
  364 BIND is also available for Windows Server 2008 and higher. See win32utils/
  365 build.txt for details on building for Windows systems.
  366 
  367 To build on a UNIX or Linux system, use:
  368 
  369     $ ./configure
  370     $ make
  371 
  372 If you're planning on making changes to the BIND 9 source, you should run
  373 make depend. If you're using Emacs, you might find make tags helpful.
  374 
  375 Several environment variables that can be set before running configure
  376 will affect compilation. Significant ones are:
  377 
  378    Variable                            Description
  379 CC             The C compiler to use. configure tries to figure out the
  380                right one for supported systems.
  381                C compiler flags. Defaults to include -g and/or -O2 as
  382 CFLAGS         supported by the compiler. Please include '-g' if you need
  383                to set CFLAGS.
  384                System header file directories. Can be used to specify
  385 STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
  386                Defaults to empty string.
  387                Any additional preprocessor symbols you want defined.
  388 STD_CDEFINES   Defaults to empty string. For a list of possible settings,
  389                see the file OPTIONS.
  390 LDFLAGS        Linker flags. Defaults to empty string.
  391 BUILD_CC       Needed when cross-compiling: the native C compiler to use
  392                when building for the target system.
  393 BUILD_CFLAGS   CFLAGS for the target system during cross-compiling.
  394 BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
  395 BUILD_LDFLAGS  LDFLAGS for the target system during cross-compiling.
  396 BUILD_LIBS     LIBS for the target system during cross-compiling.
  397 
  398 Additional environment variables affecting the build are listed at the end
  399 of the configure help text, which can be obtained by running the command:
  400 
  401 $ ./configure --help
  402 
  403 On platforms where neither the C11 Atomic operations library nor custom
  404 ISC atomic operations are available, updating the statistics counters is
  405 not locked due to performance reasons and therefore the counters might be
  406 inaccurate. Anybody building BIND 9 is strongly advised to use a modern
  407 C11 compiler with C11 Atomic operations library support.
  408 
  409 macOS
  410 
  411 Building on macOS assumes that the "Command Tools for Xcode" is installed.
  412 This can be downloaded from https://developer.apple.com/download/more/ or,
  413 if you have Xcode already installed, you can run xcode-select --install.
  414 (Note that an Apple ID may be required to access the download page.)
  415 
  416 Dependencies
  417 
  418 Portions of BIND that are written in Python, including dnssec-keymgr,
  419 dnssec-coverage, dnssec-checkds, and some of the system tests, require the
  420 argparse, ply and distutils.core modules to be available. argparse is a
  421 standard module as of Python 2.7 and Python 3.2. ply is available from
  422 https://pypi.python.org/pypi/ply. distutils.core is required for
  423 installation.
  424 
  425 Compile-time options
  426 
  427 To see a full list of configuration options, run configure --help.
  428 
  429 On most platforms, BIND 9 is built with multithreading support, allowing
  430 it to take advantage of multiple CPUs. You can configure this by
  431 specifying --enable-threads or --disable-threads on the configure command
  432 line. The default is to enable threads, except on some older operating
  433 systems on which threads are known to have had problems in the past.
  434 (Note: Prior to BIND 9.10, the default was to disable threads on Linux
  435 systems; this has now been reversed. On Linux systems, the threaded build
  436 is known to change BIND's behavior with respect to file permissions; it
  437 may be necessary to specify a user with the -u option when running named.)
  438 
  439 To build shared libraries, specify --with-libtool on the configure command
  440 line.
  441 
  442 For the server to support DNSSEC, you need to build it with crypto
  443 support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
  444 installed. If the OpenSSL library is installed in a nonstandard location,
  445 specify the prefix using --with-openssl=<PREFIX> on the configure command
  446 line. To use a PKCS#11 hardware service module for cryptographic
  447 operations, specify the path to the PKCS#11 provider library using
  448 --with-pkcs11=<PREFIX>, and configure BIND with "--enable-native-pkcs11".
  449 
  450 To support the HTTP statistics channel, the server must be linked with at
  451 least one of the following libraries: libxml2 http://xmlsoft.org or json-c
  452 https://github.com/json-c/json-c. If these are installed at a nonstandard
  453 location, then:
  454 
  455   • for libxml2, specify the prefix using --with-libxml2=/prefix,
  456   • for json-c, adjust PKG_CONFIG_PATH.
  457 
  458 To support compression on the HTTP statistics channel, the server must be
  459 linked against libzlib. If this is installed in a nonstandard location,
  460 specify the prefix using --with-zlib=/prefix.
  461 
  462 To support storing configuration data for runtime-added zones in an LMDB
  463 database, the server must be linked with liblmdb. If this is installed in
  464 a nonstandard location, specify the prefix using with-lmdb=/prefix.
  465 
  466 To support GeoIP location-based ACLs, the server must be linked with
  467 libGeoIP. This is not turned on by default; BIND must be configured with
  468 "--with-geoip". If the library is installed in a nonstandard location, use
  469 specify the prefix using "--with-geoip=/prefix".
  470 
  471 For DNSTAP packet logging, you must have installed libfstrm https://
  472 github.com/farsightsec/fstrm and libprotobuf-c https://
  473 developers.google.com/protocol-buffers, and BIND must be configured with
  474 --enable-dnstap.
  475 
  476 Certain compiled-in constants and default settings can be increased to
  477 values better suited to large servers with abundant memory resources (e.g,
  478 64-bit servers with 12G or more of memory) by specifying --with-tuning=
  479 large on the configure command line. This can improve performance on big
  480 servers, but will consume more memory and may degrade performance on
  481 smaller systems.
  482 
  483 On some platforms it is necessary to explicitly request large file support
  484 to handle files bigger than 2GB. This can be done by using
  485 --enable-largefile on the configure command line.
  486 
  487 Support for the "fixed" rrset-order option can be enabled or disabled by
  488 specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
  489 command line. By default, fixed rrset-order is disabled to reduce memory
  490 footprint.
  491 
  492 If your operating system has integrated support for IPv6, it will be used
  493 automatically. If you have installed KAME IPv6 separately, use --with-kame
  494 [=PATH] to specify its location.
  495 
  496 The --enable-querytrace option causes named to log every step of
  497 processing every query. This should only be enabled when debugging,
  498 because it has a significant negative impact on query performance.
  499 
  500 make install will install named and the various BIND 9 libraries. By
  501 default, installation is into /usr/local, but this can be changed with the
  502 --prefix option when running configure.
  503 
  504 You may specify the option --sysconfdir to set the directory where
  505 configuration files like named.conf go by default, and --localstatedir to
  506 set the default parent directory of run/named.pid. For backwards
  507 compatibility with BIND 8, --sysconfdir defaults to /etc and
  508 --localstatedir defaults to /var if no --prefix option is given. If there
  509 is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
  510 defaults to $prefix/var.
  511 
  512 Automated testing
  513 
  514 A system test suite can be run with make test. The system tests require
  515 you to configure a set of virtual IP addresses on your system (this allows
  516 multiple servers to run locally and communicate with one another). These
  517 IP addresses can be configured by running the command bin/tests/system/
  518 ifconfig.sh up as root.
  519 
  520 Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
  521 and will be skipped if these are not available. Some tests require Python
  522 and the dnspython module and will be skipped if these are not available.
  523 See bin/tests/system/README for further details.
  524 
  525 Unit tests are implemented using the CMocka unit testing framework. To
  526 build them, use configure --with-cmocka. Execution of tests is done by the
  527 Kyua test execution engine; if the kyua command is available, then unit
  528 tests can be run via make test or make unit.
  529 
  530 Documentation
  531 
  532 The BIND 9 Administrator Reference Manual is included with the source
  533 distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
  534 directory.
  535 
  536 Some of the programs in the BIND 9 distribution have man pages in their
  537 directories. In particular, the command line options of named are
  538 documented in bin/named/named.8.
  539 
  540 Frequently (and not-so-frequently) asked questions and their answers can
  541 be found in the ISC Knowledge Base at https://kb.isc.org.
  542 
  543 Additional information on various subjects can be found in other README
  544 files throughout the source tree.
  545 
  546 Change log
  547 
  548 A detailed list of all changes that have been made throughout the
  549 development BIND 9 is included in the file CHANGES, with the most recent
  550 changes listed first. Change notes include tags indicating the category of
  551 the change that was made; these categories are:
  552 
  553    Category                            Description
  554 [func]         New feature
  555 [bug]          General bug fix
  556 [security]     Fix for a significant security flaw
  557 [experimental] Used for new features when the syntax or other aspects of
  558                the design are still in flux and may change
  559 [port]         Portability enhancement
  560 [maint]        Updates to built-in data such as root server addresses and
  561                keys
  562 [tuning]       Changes to built-in configuration defaults and constants to
  563                improve performance
  564 [performance]  Other changes to improve server performance
  565 [protocol]     Updates to the DNS protocol such as new RR types
  566 [test]         Changes to the automatic tests, not affecting server
  567                functionality
  568 [cleanup]      Minor corrections and refactoring
  569 [doc]          Documentation
  570 [contrib]      Changes to the contributed tools and libraries in the
  571                'contrib' subdirectory
  572                Used in the master development branch to reserve change
  573 [placeholder]  numbers for use in other branches, e.g. when fixing a bug
  574                that only exists in older releases
  575 
  576 In general, [func] and [experimental] tags will only appear in new-feature
  577 releases (i.e., those with version numbers ending in zero). Some new
  578 functionality may be backported to older releases on a case-by-case basis.
  579 All other change types may be applied to all currently-supported releases.
  580 
  581 Bug report identifiers
  582 
  583 Most notes in the CHANGES file include a reference to a bug report or
  584 issue number. Prior to 2018, these were usually of the form [RT #NNN] and
  585 referred to entries in the "bind9-bugs" RT database, which was not open to
  586 the public. More recent entries use the form [GL #NNN] or, less often, [GL
  587 !NNN], which, respectively, refer to issues or merge requests in the
  588 GitLab database. Most of these are publicly readable, unless they include
  589 information which is confidential or security sensitive.
  590 
  591 To look up a GitLab issue by its number, use the URL https://
  592 gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
  593 use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
  594 
  595 In rare cases, an issue or merge request number may be followed with the
  596 letter "P". This indicates that the information is in the private ISC
  597 GitLab instance, which is not visible to the public.
  598 
  599 Acknowledgments
  600 
  601   • The original development of BIND 9 was underwritten by the following
  602     organizations:
  603 
  604       Sun Microsystems, Inc.
  605       Hewlett Packard
  606       Compaq Computer Corporation
  607       IBM
  608       Process Software Corporation
  609       Silicon Graphics, Inc.
  610       Network Associates, Inc.
  611       U.S. Defense Information Systems Agency
  612       USENIX Association
  613       Stichting NLnet - NLnet Foundation
  614       Nominum, Inc.
  615 
  616   • This product includes software developed by the OpenSSL Project for
  617     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
  618 
  619   • This product includes cryptographic software written by Eric Young
  620     (eay@cryptsoft.com)
  621 
  622   • This product includes software written by Tim Hudson
  623     (tjh@cryptsoft.com)