BIND v 9.6.2 FINALL DNS 64BIT VERSION FOR SOLARIS 10 SPARC EDITION


Today I released next BIND v 9.6.2 62bit version for Solaris 10 sparc Edition.

It compiled with origin SUN Solaris 10 C/C++ library links and system shared sources without any links to GNU C (GCC) and other kind Free Foundation tools.

You can download it from bellow link:

binary_ready_BIND_9.6.2.tar.bz2

To build right configuration file you can use full reference documentation:

BIND 9 Administrator Reference Manual

 

New features in BIND 9.6.2:

Full NSEC3 support

BIND 9.6 includes support for the NSEC3 record generation as defined in RFC 5155, DNS Security (DNSSEC) Hashed Authenticated Denial of Existence. As an alternative to NSEC, it can prevent walking DNSSEC zones (zone enumeration). It also permits gradual expansion of delegation-centric zones. (NSEC3 has an opt-out bit which lets the zone owner save overhead by skipping over signing delegations to unsigned children zones.)

NSEC3 is not recommended unless there is a pressing need for the features NSEC3 provides. It is expensive for both the server and the client. Most zones do not need the addition expense incured by the use of NSEC3.

 


Automatic zone re-signing

BIND 9 provides incremental re-signing support for dynamic zones and includes new options — sig-signing-nodes and sig-signing-signatures — to break up the amount of work performed when re-signing a zone.

libbind available as a separate download

The BIND 8 resolver library, libbind, has been removed from the BIND 9 distribution and is now available as a separate download. The build-time configure option for BIND 9, –enable-libbind, is now deprecated. Previously it was not built or installed by default.

Default PID file location

The default location for PID files changed from /var/run to /var/run/named/named.pid and /var/run/lwresd/lwresd.pid for improved chroot/setuid support.

This allows the owner of the containing directory to be set, for "named -u" support, and allows there to be a permanent symbolic link in the path, for "named -t" support.

New tool: dnssec-dsfromkey

Added a tool, dnssec-dsfromkey, to generate DS records from the DNSKEY contained in existing keyset or .key files. (The dnssec-signzone tool can also generate DS records, but this new tool, dnssec-dsfromkey, doesn’t create a signed zone nor does it require a zone file.)

Support Cryptoki hardware

BIND can be built with OpenSSL’s PKCS#11 support i.e. the Cryptographic Token Interface (Cryptoki). This can provide support for using an external security device, such as a Sun Crypto Accelerator, for hardware acceleration for generation of keys and cryptographic data and/or for protected key storage.

To build BIND with PKCS#11 support, first configure with the –with-pkcs11 option. For more details, see the new README.pkcs11 file included with the BIND 9.6 source.

New tool: dnssec-keyfromlabel

BIND 9 also adds the dnssec-keyfromlabel tool. It takes the label of a key pair in a Hardware Security Model (HSM) and constructs a DNS key pair for use by named and dnssec-signzone. This uses a hardware device that uses the PKCS#11 interface.

Default TTL with nsupdate

With nsupdate, you can now set or clear the default time to live for records to be added. Previously you had to specify the TTL on every update. See the new manual page about "ttl" for details.

Randomize server selection on queries

As a security improvement to make forgery a little more difficult, BIND 9.6 now attempts to make the order of the server selection for queries less predictable. Previously, BIND would prefer to query the server with the lowest round trip time (RTT). Now servers that haven’t been tried yet have their RTT set to a random value between 0 ms and 7 ms. And the RTT values of servers which have been tried are now randomly changed up to 128 ms.

Specify max sockets on named command line

The named command has a new option -S for specify the maximum number of sockets. This may be used to override the system’s defined number of file descriptors (FD_SETSIZE). This may be needed on some systems to support more listening sockets due to unique query ports. This option is unnecessary and maybe even harmful for most systems — read the new manual page for details.

DNSSEC Zone Key Tool included in contrib

BIND 9.6 includes dnssec-zkt in the source at contrib/zkt. The DNSSEC Zone Key Tool provides commands to create and list DNSSEC zone keys, sign zones, do resigning, and automate key rollovers. They are wrappers around BIND9’s dnssec-keygen(8) and dnssec-signzone(8) tools. The official homepage and more information is at http://www.hznet.de/dns/zkt/. Thank you to Holger Zuleger for providing this code and providing under a BSD license.

max-cache-size 0;

The max-cache-size option was reverted to 0, the previous default. This means that records are purged from the cache only when their TTLs expire

Improved query port randomization performance

On support platforms, BIND is compiled with kqueue, epoll, or /dev/poll support (instead of using generic polling routines). This helps "named" be more scalable for polling file descriptors.


Developed by Eldar Aydayev ©
UNIX Systems Professional Engineer
Aydayev’s Investment Business Group
E-mail: eldar@aydayev.com
URL: http://eldar.aydayev.com
LinkedIn: http://www.linkedin.com/in/eldar
Phone: +1 (650) 206-2624