New BIND 9.2.0 Features

This section describes the new features in BIND 9.2.0.

New Options in Options Statement

The following lists the new options added in the Options statement:

dump-file
This option is used to specify the pathname of the file to which the server dumps the database with the rndc dumpdb command. Default is named_dump.db. The syntax of dump-file option in the Options statement in the /etc/named.conf file is as shown below:
dump-file “path_name”;
where:
path_name specifies the file to which the server dumps the database.
statistics-file
This option is used to specify the pathname of the file in which the server appends statistics using the rndc stats command. Default is named.stats in the server’s current directory. The syntax of statistics-file option in the “Options” statement in the /etc/named.conf file is as shown below:
statstics-file “path_name”;
The statistics file generated by BIND 9.2.0 is similar, but not identical, to that generated by BIND 8.1.2. For information on the format of the statistics file and the statistics counters, refer to the named-conf(1) man page distributed with this release.
blackhole
This option is used to specify a list of addresses from which the server will not accept queries or and does not use them to resolve a query. Default is none. The syntax of blackhole option in the “Options” statement in the /etc/named.conf file is as shown below:
[ blackhole {address_match_list {; ]
coresize
This option is used to specify the maximum size of a core dump. Default is default. The syntax of coresize option in the “Options” statement in the /etc/named.conf file is as shown below:
[ coresize size_spec ; ]
sortlist
The sortlist statement takes an address_match_list and interprets it. Each top level statement in sortlist must be an explicit address_match_list with one or two elements. The first element, which may be an IP address, IP prefix, acl name or a nested address_match_list is checked against the source address of the query until a match is found.
Once the source address of the query has been matched, if the top level statement contains only one element, the actual element that matched the source address is used to select the address in the response to move to the beginning of the response. Each top level statement element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response.
A sample sortlist statement usage in the Options statement in the /etc/named.conf file is as shown below:
[ sortlist { address_match_list }];
NOTE: Refer to the named.conf(4) man page for more information on the usage of sortlist statement.
max-cache-size
max-cache-size is used to specify the maximum amount of memory to use for the server’s cache, in bytes. When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default is unlimited, meaning that records are purged from the cache only when their TTLs expire.

New Option in “Server” Statement

The bogus option can be used to prevent queries to a remote server which is giving out invalid data. The default value of bogus is no. The syntax of bogus option in the “Server” statement is as shown below:

[ bogus yes_or_no ; ]

New Options in “Zone” Statement

The following lists the new options added in “Zone” statement:

forwarders
This option can be used to specify the IP addresses to be used for forwarding. The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external nameservers. This facility also allows queries by servers that do not have direct access to the Internet, but wish to look up exterior names. Forwarding occurs only on those queries for which the server is not authoritative and does not have an answer in its cache.
The forwarders option is specified in the /etc/named.conf file as:
[ forwarders { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
allow-update
This option can be used to specify which hosts are allowed to submit Dynamic DNS updates for master zones. By default, updates from all hosts are denied.
NOTE: allow-update option is not applicable for slave zones. Refer to the named.conf(4) man page for more information.

rndc-confgen

rndc-confgen can be used to generate rndc.conf, the configuration file for rndc. Alternatively, it can also be run with the -a option to set up a rndc.key file thus avoiding the need for a rndc.conf file and a control statement.

rndc-confgen is run on the command line as:

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname]
[-p port] [-r randomfile] [-s address] [-t chrootdir] [-u use]

Where

“-a” option is used to configure rndc automatically. This creates a file rndc.key in /etc which is read by both rndc and named on start-up.

“-b keysize” is used to specify the size of the authentication key in bits. The value must range between 1 and 512. Default is 128 bits.

“-c keyfile” is used with the -a option to specify an alternate location for the rndc.key file.

“-h” is used to print a short summary of the options and arguments to rndc-confgen utility.

“-k keyname” is used to specify the key name of the rndc authentication key. This must be a valid domain name. Default is rndc-key.

“-p port” is used to specify the command channel port where named listens for connections from rndc. Default is 953.

“-r random file” is used to specify a source file of random data for generating the authorization. Default is the /dev/random file, otherwise the input from the keyboard is accepted.

“-s address” is used to specify the IP address where named listens for command channel connections from rndc. Default is the loopback address 127.0.0.1.

“-t chrootdir” is used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named.

“-u user” is used with the -a option to set the owner of the generated rndc.key file. If -t is also specified, the owner of the file in chroot area will be changed.




	NOTE: Refer to the `rndc-confgen(1)` man page for more information.

New Command Line Options

Table 1-1 “New Command Line Options” lists the new command line options that have been added for the various binaries and tools in BIND 9.2.0.

Table 1-1 New Command Line Options

Binaries/Tools	Options	Usage
`dig`	`-b`	Set the source IP address of the query to address. This must be a valid address on one of the host’s network interfaces.
`dig`	`-k`	Sign the DNS queries sent by `dig` and their responses using transaction signatures (TSIG).
`dig`	`-y`	Specify the TSIG key on the command line.
dnssec-makekeyset & dnssec-signkey	`-a`	Verify all generated signatures.
dnssec-signkey	`-c class`	Specify the DNS class of the key sets. Currently only `IN` class is supported.
dnssec-signkey	`-e end-time`	Specify the date and time when the generated SIG records become invalid. If no end-time is specified, 30 days from the start time will be used as a default.
`dnssec-signkey`	`-s start-time`	Specify the data and time when the generated SIG records become valid. This can be either an absolute or relative time. If no start-time is specified, the current time will be used.
`dnssec-signzone`	`-d directory`	Look for `signedkey` files in `directory` as the directory.
dnssec-signzone	`-h`	Print a short summary of the options and arguments to `dnssec-signzone`.
dnssec-signzone	`-i interval`	Specify the cycle interval as an offset from the current time (in seconds). If a SIG record expires after the cycle interval, it is retained. Else, it is considered to be expiring soon and will be replaced. The default cycle interval is one quarter of the difference between signature end and start times. If neither end-time nor start-time is specified, dnssec-signzone generates signatures that are valid for 30 days and with a cycle interval of 7.5 days. If any existing SIG record expires in less than 7.5 days, they would be replaced.
`dnssec-signzone`	`-n ncpus`	Specify the number of threads to use. By default, one thread is started for each CPU.
dnssec-signzone	`-o origin`	Specify the zone origin. If no zone origin is specified, the name of the zone file will be considered as the `origin`.
dnssec-signzone	`-t`	Print the performance statistics at the time of completion.
named	`-v`	Report the version number and exit.
named-checkconf	`-t`	`chroot` to directory to process `include` directives in the configuration file as if it is run by a similarly chrooted named.
named-checkconf	`-v`	Print the version number of `named-checkconf` and exit.
named-checkzone	`-v`	Print the version number of `named-checkzone` and exit.
nsupdate	`key {name} [secret]`	Specify that all updates need to be TSIG signed using the keyname keysecret pair. The key command overrides any key specified on the command line via -y or -k.
nsupdate	`local {address} [port]`	Send all dynamic update requests using the local address. If no local statement is provided, nsupdate will send updates using an address and port chosen by the system. port can also be used to set a specific port from where requests are sent. If port number is not specified, the system will assign one.
`nsupdate`	`send`	Send the current message. This is equivalent to entering a blank line.
`nsupdate`	`show`	Display the current message, containing all the pre-requisites and updates specified since the last send operation.
`rndc`	`-k keyname`	This option is used to specify the key name of the rndc authentication key. This must be a valid domain name. Default is `rndc-key`.

New Commands in rndc

The remote name daemon control (rndc) program allows the system administrators to control the operations of a name server.

The following lists the new commands added in rndc:

reconfig
trace
trace level
notrace
flush
flush [view]
status

rndc is run on the command line as:

rndc [-c config] [-s server] [-p port] [-y key] command [command...]

Where

-c config file is used to specify an alternate configuration file. The default configuration file is /etc/rndc.conf.

-s server is used to specify the server whose operation needs to be controlled.

-p port is used to instruct rndc that it should send commands to TCP port number port on the system running the name server instead of BIND 9.2.0’s default control channel port, 953.

-y key identifies the key-id to use from the configuration file and command is one of the following:

Table 1-2 rndc commands

Command	Description
`reload`	reload configuration file and zones
`reload zone [class [view]]`	reload the given zone
`refresh zone [class [view]]`	schedule zone maintenance for the given zone
`stats`	write serve statistics to the statistics file
`querylog`	toggle query logging
`dumpdb`	dump the current contents of the cache into the file specified by the dump-file option in named.conf.
`stop`	stop the server after saving any recent changes into the master files of the updated zones.
`halt`	stop the server immediately without saving any recent changes into the master files.
reconfig	reload configuration file and new zones only.
trace	increment debugging level by 1
trace level	change the debugging level
notrace	set debugging level to 0
flush	flush all the server’s caches
flush [view]	flush the server’s cache for a view
status	display the status of the server




	NOTE: Refer to the `rndc(1)` man page for more information. A sample `rndc.conf` file is distributed with this release of BIND. This file can be generated automatically by the `rndc-confgen` utility, which is distributed with BIND 9.2.0. For more information on `rndc-confgen`, read the `rndc-confgen` section above.