HEADS UP: BIND 9 imported, and working!

[Brad Knowles]

At 5:07 AM +0100 2004-09-25, Doug Barton wrote:

>  There are many differences between BIND 8 and 9. Some of the more
>  important ones are how picky BIND 9 is about zone file format. Some
>  zones that loaded fine under BIND 8 will not load with 9. The named
>  process is controlled with a program called rndc. The ndc binary is
>  no longer present.

	Having worked with BIND 9 since it came out, I'm very glad to see 
that this has finally been imported into FreeBSD!


	However, there are a couple more differences I'd like to highlight.

	First, you cannot use rndc to start BIND 9, whereas you used to 
be able to do this with ndc for BIND 8.  The old ndc communicated 
with BIND 8 via Unix sockets or IP sockets, but didn't use any 
security in that process, and if it couldn't communicate with BIND 8, 
it could always start the binary locally.  The concept for rndc is 
that it is used to manage a network of nameservers via TCP 
exclusively, and it does use cryptographic methods to secure that 
process.  However, this means that it can't talk to BIND 9 until BIND 
9 is already running.  You will have to modify your start/stop 
scripts as appropriate.

	Second, there are tools provided with BIND 9 to make your life 
easier during migration.  Specifically, programs called 
named-checkzone and named-checkconf.  They will use the same library 
routines that BIND 9 uses when loading the zone files or the 
configuration file (respectively), and tell you what errors are found 
where.  If these programs don't report any errors in your 
configuration file or zone files, then you are reasonably certain 
that they should load okay.  There are a few things that can only be 
determined at load time by BIND 9 itself, but in terms of syntax 
checking, etc... you need to start with using these programs.


	There are some DNS debugging utilities that are also shipped with 
BIND.  I don't know where they are put in the FreeBSD scheme of 
things, but in the BIND scheme, they are found under contrib/ in 
separate sub-directories per program.  In BIND 9.3.0, there is nslint 
2.1a3, which may be of some use to you.  Keep in mind that DNS 
debugging tools don't typically work on zone files, instead they 
require that the nameserver already be running and the zone already 
be loaded, and then they do their thing as a normal DNS client -- 
some will actually use dig, while others may go straight to the 
library routines.

	It doesn't look like dnswalk or doc got included with the BIND 9 
tarball, but they are also very useful DNS debugging tools.  Note 
that doc is the only DNS debugging tool I know of that does not 
require zone transfer permission in order to do its task, whereas 
tools like nslint and dnswalk do require that ability.  If you want 
to use doc with BIND 9, you should grab the latest tarball at 
<ftp://ftp.shub-internet.org/pub/shub/brad/dns/doc-2.2.3.tar.bz2>.

	Another utility that may be of some use is nanny.pl, also found 
in contrib/.  Unfortunately, it uses "kill" to send signals to BIND 
9, which may have been okay with BIND 8, but is absolutely the wrong 
way to do things with BIND 9 -- all control of BIND 9 should be done 
via rndc and not signals.  Future versions of BIND 9 may remove the 
ability to send signals at all, and this may cause the program to 
crash.  Get used to doing everything through rndc now.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.