Vulnerability Development mailing list archives
FW: BIND version 9.0.0 Beta 1 Available
From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Mon, 7 Feb 2000 09:34:38 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----Original Message----- From: David R. Conrad [mailto:David.Conrad () nominum com] Sent: Friday, February 04, 2000 5:39 PM Subject: BIND version 9.0.0 Beta 1 Available [apologies for possible duplicates] Announcing the release of BIND version 9 Beta 1. ISC is proud to announce the public availability of BIND version 9 Beta 1. This is an early beta release, not intended for production use. Most core functionality is present, but significant work remains to be completed. BIND version 9 beta 1 is available from: ftp://ftp.isc.org/isc/bind9/9.0.0b1/bind-9.0.0b1.tar.gz PGP signature: ftp://ftp.isc.org/isc/bind9/9.0.0b1/bind-9.0.0b1.tar.gz.asc Three new mailing lists have been created: bind9-bugs () isc org: for submitting BINDv9 bugs/enhancements bind9-workers () isc org: for developer discussions about BINDv9 bind9-users () isc org: for general discussions about BINDv9 To subscribe bind9-workers or bind9-users, send a message with the word "subscribe" to bind9-workers-request () isc org or bind9-users-request () isc org respectively. Note that these mailing lists are separate from the lists for discussing BIND version 8 or earlier. Enclosed is the README file included with the distribution kit. Enjoy, - -drc Executive Director, ISC - -------- BIND 9 BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture. This re-architecting of BIND was necessitated by the expected demands of: - Domain name system growth, particularly in very large zones such as .COM - Protocol enhancements necessary to securely query and update zones - Protocol enhancements necessary to take advantage of certain architectural features of IP version 6 These demands implied performance requirements that were not necessarily easy to attain with the BIND version 8 architecture. In particular, BIND must not only be able to run on multi-processor multi-threaded systems, but must take full advantage of the performance enhancements these architectures can provide. In addition, the underlying data storage architecture of BIND version 8 does not lend itself to implementing alternative back end databases, such as would be desirable for the support of multi-gigabyte zones. As such zones are easily foreseeable in the relatively near future, the data storage architecture needed revision. The feature requirements for BIND version 9 included: - Scalability Thread safety Multi-processor scalability Support for very large zones - Security Support for DNSSEC Support for TSIG Auditability (code and operation) Firewall support (split DNS) - Portability - Maintainability - Protocol Enhancements IXFR, DDNS, Notify, EDNS0 Improved standards conformance - Operational enhancements High availability and reliability Support for alternative back end databases - IP version 6 support IPv6 resource records (A6, DNAME, etc.) Bitstring labels APIs BIND version 9 development has been underwritten by the following organizations: Stichting NLNet - NLNet Foundation Sun Microsystems, Inc. Hewlett Packard Compaq Computer Corporation IBM Process Software Corporation Silicon Graphics, Inc. Network Associates, Inc. U.S. Defense Information Systems Agency USENIX Association BIND 9.0.0b1 BIND 9.0.0b1 is the first public release of BIND 9 code. It will be most useful to advanced users working with IPv6 or DNSSEC. BIND 9.0.0b1 is not functionally complete, and is not a release candidate for BIND 9.0.0. The ISC anticipates a number of additional beta releases between now and May, when BIND 9.0.0 is scheduled to be released. The ISC does not recommend using BIND 9.0.0b1 for "production" services. We hope users of BIND 9.0.0b1 will provide feedback, bug fixes, and enhancements. If you are not in a position to do so, it would probably be better to wait until subsequent releases. Much of the core technology planned for BIND 9.0.0 is in this beta release. Some of the highlights are: IPv6 Support for bitstring labels, DNAME, and A6 records. IPv6-aware resolver (follows A6 chains, can use IPv6 to talk to other nameservers). The nameserver listens on an IPv6 socket. DNSSEC All new RR types supported. The server generates DNSSEC responses for secure zones. EDNS0 DNS messages using UDP have been limited to 512 bytes. This is too small for DNSSEC replies, whose signature and key records can be large. EDNS0 allows larger UDP messages to be sent. EDNS0 is understood by the server, and used by the resolver. Some of the more significant items that will be implemented or enhanced in a future beta are DNSSEC validation The server does not currently validate DNSSEC signatures. Notify Notify is not yet implemented. Configuration File Some config file items are not yet implemented. See doc/misc/options for a summary of the current status. Selective Forwarding Documentation Future releases will contain a lot more documentation, but a preliminary version of the Administrator's Reference Manual is in the doc/arm subdirectory. Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a good pthreads implementation. We've had successful builds and tests on the following systems AIX 4.3 COMPAQ Tru64 UNIX 4.0D HP-UX 11 IRIX64 6.5 NetBSD current (with "unproven" pthreads) Red Hat Linux 6.0, 6.1 Solaris 2.6, 7, 8 (beta) To build, just ./configure make "make install" will install "named" and the various BIND 9 libraries. By default, installation is into /usr/local, but this can be changed with the "--prefix" option when running "configure". Shared libraries will be built if "--with-libtool" is added to the "configure" command. Building with gcc is not supported, unless gcc is the vendor's usual compiler (e.g. the various BSD systems, Linux). Parts of the library can be tested by running "make test" from the bin/tests subdirectory. Bug Reports and Mailing Lists Bugs reports should be sent to bind9-bugs () isc org To join the BIND 9 Users mailing list, send mail to bind9-users-request () isc org If you're planning on making changes to the BIND 9 source code, you might want to join the BIND 9 Workers mailing list. Send mail to bind9-workers-request () isc org "named" command line options -c <config_file> -d <debug_level> -f Run in the foreground. -N <number_of_cpus> -t <directory> Chroot to <directory> before running. -u <username> Run as user <username> after binding to privileged ports. Use of the "-t" option while still running as "root" doesn't enhance security on most systems. The way chroot() is defined allows a process with root privileges to escape the chroot jail. The "-u" option is not currently useful on Linux. Linux threads are actually processes sharing a common address space. An unfortunate side effect of this is that some system calls, e.g. setuid() that in a typical pthreads environment would affect all threads only affect the calling thread/process on Linux. The good news is that BIND 9 uses the Linux kernel's capability mechanism to drop all root powers except the ability to bind() to a privileged port. On systems with more than one CPU, the "-N" option should be used to indicate how many CPUs there are. Note to Programmers The APIs for the libraries in BIND 9 are not yet frozen. We expect the existing library interfaces in the release to be quite stable, however, and unless we've specifically indicated that an interface is temporary, we don't anticipate major changes in future releases. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOJ8A4Mm4FXxxREdXEQJBpgCgrgN9mNKdcCqkaEuvKgSR2T5JEtcAoJLi PfRN7f+7iZEK3LqCi2PhLqsQ =YadN -----END PGP SIGNATURE-----
Current thread:
- FW: BIND version 9.0.0 Beta 1 Available Oliver Friedrichs (Feb 07)