HEADS UP: BIND 9 imported, and working!
brad at stop.mail-abuse.org
Sat Sep 25 05:27:02 PDT 2004
At 5:07 AM +0100 2004-09-25, Doug Barton wrote:
> There are many differences between BIND 8 and 9. Some of the more
> important ones are how picky BIND 9 is about zone file format. Some
> zones that loaded fine under BIND 8 will not load with 9. The named
> process is controlled with a program called rndc. The ndc binary is
> no longer present.
Having worked with BIND 9 since it came out, I'm very glad to see
that this has finally been imported into FreeBSD!
However, there are a couple more differences I'd like to highlight.
First, you cannot use rndc to start BIND 9, whereas you used to
be able to do this with ndc for BIND 8. The old ndc communicated
with BIND 8 via Unix sockets or IP sockets, but didn't use any
security in that process, and if it couldn't communicate with BIND 8,
it could always start the binary locally. The concept for rndc is
that it is used to manage a network of nameservers via TCP
exclusively, and it does use cryptographic methods to secure that
process. However, this means that it can't talk to BIND 9 until BIND
9 is already running. You will have to modify your start/stop
scripts as appropriate.
Second, there are tools provided with BIND 9 to make your life
easier during migration. Specifically, programs called
named-checkzone and named-checkconf. They will use the same library
routines that BIND 9 uses when loading the zone files or the
configuration file (respectively), and tell you what errors are found
where. If these programs don't report any errors in your
configuration file or zone files, then you are reasonably certain
that they should load okay. There are a few things that can only be
determined at load time by BIND 9 itself, but in terms of syntax
checking, etc... you need to start with using these programs.
There are some DNS debugging utilities that are also shipped with
BIND. I don't know where they are put in the FreeBSD scheme of
things, but in the BIND scheme, they are found under contrib/ in
separate sub-directories per program. In BIND 9.3.0, there is nslint
2.1a3, which may be of some use to you. Keep in mind that DNS
debugging tools don't typically work on zone files, instead they
require that the nameserver already be running and the zone already
be loaded, and then they do their thing as a normal DNS client --
some will actually use dig, while others may go straight to the
It doesn't look like dnswalk or doc got included with the BIND 9
tarball, but they are also very useful DNS debugging tools. Note
that doc is the only DNS debugging tool I know of that does not
require zone transfer permission in order to do its task, whereas
tools like nslint and dnswalk do require that ability. If you want
to use doc with BIND 9, you should grab the latest tarball at
Another utility that may be of some use is nanny.pl, also found
in contrib/. Unfortunately, it uses "kill" to send signals to BIND
9, which may have been okay with BIND 8, but is absolutely the wrong
way to do things with BIND 9 -- all control of BIND 9 should be done
via rndc and not signals. Future versions of BIND 9 may remove the
ability to send signals at all, and this may cause the program to
crash. Get used to doing everything through rndc now.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the freebsd-current