Changed Features

In BIND 9.2.0, when the dnssec-keygen command is executed twice with the HMAC-MD5 algorithm, two different key-file pairs are generated. In BIND 9.3.2, the key files are overwritten, resulting in one key-file pair only.

In the previous version of BIND, the dnssec-keygen command used the RSAMD5, DH, DSA, RSA, or HMAC-MD5 algorithm. In BIND 9.3.2, the dnssec-keygen command supports only RSASHA1 and DSA algorithms for DNSSEC. HMAC-MD5 and DH are also supported, in which case a KEY record is generated instead of a DNSKEY record. The -k option must be used to generate a KEY record.

In BIND 9.3.2, the key file supplied to nsupdate using the -k option must contain a key of the type KEY and not DNSKEY.

The dnssec-signzone command creates the db.<zone>.signed file, which contains the NSEC (corresponding to the NXT record in 9.2.0) and RRSIG (corresponding to the SIG record in 9.2.0) records. Additionally, it creates a dsset-<zone> file that contains the DS record and the keyset-<zone> file that contains the DNSKEY record.

The -i option in the dig command must be used for IP6.INT IPv6 reverse lookups. By default, dig performs IP6.ARPA reverse IPv6 lookups.

The output of the dig name command for Not Implemented is changed from NOTIMPL to NOTIMP.