bind/doc/misc/migration

Copyright (C) 2000  Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

                   BIND 8 to BIND 9 Migration Notes

BIND 9 is designed to be mostly upwards compatible with BIND 8, but
there is still a number of caveats you should be aware of when
upgrading an existing BIND 8 installation to use BIND 9.


1. Configuration File Compatibility

1.1. Unimplemented Options and Changed Defaults

BIND 9.1 supports most, but not all but not of the named.conf options
of BIND 8.  For a complete list of implmented options, see
doc/misc/options.

If your named.conf file uses an unimplemented option, named will log a
warning message.  A message is also logged about each option whose
default has changed unless the option is set explicitly in named.conf.

In particular, if you see a warning message about the default for the
"auth-nxdomain" option having changed, you can suppress it by adding
one of the following lines to the named.conf options { } block:

   auth-nxdomain no;	# conform to RFC1035
   auth-nxdomain yes;	# do what BIND 8 did by default

1.2. Handling of Configuration File Errors

In BIND 9, named refuses to start if it detects an error in
named.conf.  Earlier versions would start despite errors, causing the
server to run with a partial configuration.  Errors detected during
subsequent reloads do not cause the server to exit.

1.3. Logging

The set of logging categories in BIND 9 is different from that
in BIND 8.  If you have customized your logging on a per-category
basis, you need to modify your logging statement to use the
new categories.

Another difference is that the "logging" statement only takes effect
after the entire named.conf file has been read.  This means that when
the server starts up, any messages about errors in the configuration
file are always logged to the default destination (syslog) when the
server first starts up, regardless of the contents of the "logging"
statement.  In BIND 8, the new logging configuration took effect
immediately after the "logging" statement was read.

1.4. Case sensitivity

In BIND 9, ACL names are case sensitive.  In BIND 8 they were case
insensitive.

1.5. Notify messages and Refesh queries

The source address and port for these is now controlled by
"notify-source" and "transfer-source", respectively, rather that
query-source as in BIND 8.

2. Zone File Compatibility

2.1. Strict RFC1035 Interpretation of TTLs in Zone Files

BIND 8 allowed you to omit all TTLs from a zone file, and used the
value of the SOA MINTTL field as a default for missing TTL values.

BIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
rules.  The default TTL is the value specified with the $TTL
directive, or the previous explicit TTL if there is no $TTL directive.
If there is no $TTL directive and the first RR in the file does not
have an explicit TTL field, the error message "no TTL specified" is
logged and loading the zone file fails.

To avoid problems, use a $TTL directive in each zone file.

2.2. Periods in SOA Serial Numbers Deprecated

Some versions of BIND allow SOA serial numbers with an embedded
period, like "3.002", and convert them into integers in a rather
unintuitive way.  This feature is not supported by BIND 9; serial
numbers must be integers.

2.3. Handling of Unbalanced Quotes

TXT records with unbalanced quotes, like 'host TXT "foo', were not
treated as errors in some versions of BIND.  If your zone files
contain such records, you will get potentially confusing error
messages like "unexpected end of file" because BIND 9 will interpret
everything up to the next quote character as a literal string.

2.4. Handling of Line Breaks

Some versions of BIND accept RRs containing line breaks that are not
properly quoted with parentheses, like the following SOA:

	@	IN SOA	ns.example. hostmaster.example.
			( 1 3600 1800 1814400 3600 )

This is not legal master file syntax and will be treated as an error
by BIND 9.  The fix is to move the opening parenthesis to the first
line.

2.5. Unimplemented BIND 8 Extensions

$GENERATE: The "$$" construct for getting a literal $ into a domain
name is deprecated.  Use \$ instead.

3. Interoperability Impact of New Protocol Features

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
also sets an EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses; this flag bit usage is not yet standardized,
but we hope it will be.

Most older servers that do not support EDNS0, including prior versions
of BIND, will send a FORMERR or NOTIMP response to these queries.
When this happens, BIND 9 will automatically retry the query without
EDNS0.

Unfortunately, there exists at least one non-BIND name server
implementation that silently ignores these queries instead of sending
an error response.  Resolving names in zones where all or most
authoritative servers use this server will be very slow or fail
completely.  We have contacted the manufacturer of the name server in
case, and they are working on a solution.


4. Unrestricted Character Set

BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.

It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9 will not enforce this restriction.

Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause a
breach of security when containing unexpected characters; see
<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
for details.  Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses, under
the control of the "check-names" option in named.conf and/or "options
no-check-names" in resolv.conf.  BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
be upgraded.


5. Server Administration Tools

The "ndc" program has been replaced by "rndc", which is capable of
remote operation.  Unlike ndc, rndc requires a configuration file; 
see the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for
details.  Some of the ndc commands are still unimplemented in rndc.


$Id: migration,v 1.16 2000/11/30 23:24:01 gson Exp $
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00			`Copyright (C) 2000 Internet Software Consortium.`
new URL for the copyright notice 2000-08-09 04:37:43 +00:00			`See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
minor adjustment for compatibility with update_copyrights, which condenses multiple blank lines after the copyright and first paragraph. 2000-07-27 23:48:49 +00:00			`BIND 8 to BIND 9 Migration Notes`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
			`BIND 9 is designed to be mostly upwards compatible with BIND 8, but`
			`there is still a number of caveats you should be aware of when`
			`upgrading an existing BIND 8 installation to use BIND 9.`


added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00			`1. Configuration File Compatibility`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00			`1.1. Unimplemented Options and Changed Defaults`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
updated for 9.1 2000-11-30 23:24:01 +00:00			`BIND 9.1 supports most, but not all but not of the named.conf options`
			`of BIND 8. For a complete list of implmented options, see`
			`doc/misc/options.`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00			`If your named.conf file uses an unimplemented option, named will log a`
			`warning message. A message is also logged about each option whose`
			`default has changed unless the option is set explicitly in named.conf.`

added note about auth-nxdomain warning message 2000-09-18 23:41:20 +00:00			`In particular, if you see a warning message about the default for the`
			`"auth-nxdomain" option having changed, you can suppress it by adding`
			`one of the following lines to the named.conf options { } block:`

			`auth-nxdomain no; # conform to RFC1035`
			`auth-nxdomain yes; # do what BIND 8 did by default`

added section on Handling of Configuration File Errors 2000-08-29 17:57:29 +00:00			`1.2. Handling of Configuration File Errors`
added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00
added section on Handling of Configuration File Errors 2000-08-29 17:57:29 +00:00			`In BIND 9, named refuses to start if it detects an error in`
			`named.conf. Earlier versions would start despite errors, causing the`
			`server to run with a partial configuration. Errors detected during`
			`subsequent reloads do not cause the server to exit.`

			`1.3. Logging`
RT #169: note that logging categories have changed from BIND 8 2000-07-14 17:11:07 +00:00
			`The set of logging categories in BIND 9 is different from that`
			`in BIND 8. If you have customized your logging on a per-category`
			`basis, you need to modify your logging statement to use the`
			`new categories.`

			`Another difference is that the "logging" statement only takes effect`
			`after the entire named.conf file has been read. This means that when`
			`the server starts up, any messages about errors in the configuration`
			`file are always logged to the default destination (syslog) when the`
			`server first starts up, regardless of the contents of the "logging"`
			`statement. In BIND 8, the new logging configuration took effect`
			`immediately after the "logging" statement was read.`

there were two sections 1.3 2000-09-01 17:46:15 +00:00			`1.4. Case sensitivity`
note that ACL names are now case sensitive 2000-08-22 00:58:12 +00:00
			`In BIND 9, ACL names are case sensitive. In BIND 8 they were case`
			`insensitive.`

537. [func] Use transfer-source{-v6} when notify messages. 2000-10-31 05:34:18 +00:00			`1.5. Notify messages and Refesh queries`

			`The source address and port for these is now controlled by`
updated for 9.1 2000-11-30 23:24:01 +00:00			`"notify-source" and "transfer-source", respectively, rather that`
			`query-source as in BIND 8.`
note that ACL names are now case sensitive 2000-08-22 00:58:12 +00:00
added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00			`2. Zone File Compatibility`

			`2.1. Strict RFC1035 Interpretation of TTLs in Zone Files`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
			`BIND 8 allowed you to omit all TTLs from a zone file, and used the`
			`value of the SOA MINTTL field as a default for missing TTL values.`

			`BIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL`
			`rules. The default TTL is the value specified with the $TTL`
			`directive, or the previous explicit TTL if there is no $TTL directive.`
			`If there is no $TTL directive and the first RR in the file does not`
			`have an explicit TTL field, the error message "no TTL specified" is`
			`logged and loading the zone file fails.`

			`To avoid problems, use a $TTL directive in each zone file.`

added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00			`2.2. Periods in SOA Serial Numbers Deprecated`

			`Some versions of BIND allow SOA serial numbers with an embedded`
			`period, like "3.002", and convert them into integers in a rather`
			`unintuitive way. This feature is not supported by BIND 9; serial`
			`numbers must be integers.`

			`2.3. Handling of Unbalanced Quotes`

			`TXT records with unbalanced quotes, like 'host TXT "foo', were not`
			`treated as errors in some versions of BIND. If your zone files`
			`contain such records, you will get potentially confusing error`
			`messages like "unexpected end of file" because BIND 9 will interpret`
			`everything up to the next quote character as a literal string.`

added note about BIND 8 incorrectly accepting unquoted line breaks 2000-08-31 01:38:20 +00:00			`2.4. Handling of Line Breaks`

			`Some versions of BIND accept RRs containing line breaks that are not`
			`properly quoted with parentheses, like the following SOA:`

			`@ IN SOA ns.example. hostmaster.example.`
			`( 1 3600 1800 1814400 3600 )`

			`This is not legal master file syntax and will be treated as an error`
			`by BIND 9. The fix is to move the opening parenthesis to the first`
			`line.`

noted that $GENERATE is unimplemented 2000-09-05 16:51:01 +00:00			`2.5. Unimplemented BIND 8 Extensions`

updated for 9.1 2000-11-30 23:24:01 +00:00			`$GENERATE: The "$$" construct for getting a literal $ into a domain`
			`name is deprecated. Use \$ instead.`
added notes about dotted serial numbers and unbalanced quotes 2000-07-12 05:06:33 +00:00
			`3. Interoperability Impact of New Protocol Features`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
			`BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It`
updated for 9.1 2000-11-30 23:24:01 +00:00			`also sets an EDNS flag bit in queries to indicate that it wishes to`
			`receive DNSSEC responses; this flag bit usage is not yet standardized,`
			`but we hope it will be.`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
updated for 9.1 2000-11-30 23:24:01 +00:00			`Most older servers that do not support EDNS0, including prior versions`
			`of BIND, will send a FORMERR or NOTIMP response to these queries.`
			`When this happens, BIND 9 will automatically retry the query without`
			`EDNS0.`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
			`Unfortunately, there exists at least one non-BIND name server`
			`implementation that silently ignores these queries instead of sending`
			`an error response. Resolving names in zones where all or most`
			`authoritative servers use this server will be very slow or fail`
			`completely. We have contacted the manufacturer of the name server in`
updated for 9.1 2000-11-30 23:24:01 +00:00			`case, and they are working on a solution.`
added bind8 -> bind9 migration notes 2000-06-30 22:44:08 +00:00
added note on lack of check-names functionality 2000-09-01 18:30:30 +00:00
			`4. Unrestricted Character Set`

			`BIND 9 does not restrict the character set of domain names - it is`
			`fully 8-bit clean in accordance with RFC2181 section 11.`

			`It is strongly recommended that hostnames published in the DNS follow`
			`the RFC952 rules, but BIND 9 will not enforce this restriction.`

			`Historically, some applications have suffered from security flaws`
			`where data originating from the network, such as names returned by`
			`gethostbyaddr(), are used with insufficient checking and may cause a`
			`breach of security when containing unexpected characters; see`
			`<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>`
			`for details. Some earlier versions of BIND attempt to protect these`
			`flawed applications from attack by discarding data containing`
			`characters deemed inappropriate in host names or mail addresses, under`
			`the control of the "check-names" option in named.conf and/or "options`
			`no-check-names" in resolv.conf. BIND 9 provides no such protection;`
			`if applications with these flaws are still being used, they should`
			`be upgraded.`


added note on ndc->rndc change 2000-09-08 21:34:28 +00:00			`5. Server Administration Tools`

			`The "ndc" program has been replaced by "rndc", which is capable of`
			`remote operation. Unlike ndc, rndc requires a configuration file;`
			`see the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for`
updated for 9.1 2000-11-30 23:24:01 +00:00			`details. Some of the ndc commands are still unimplemented in rndc.`
added note on ndc->rndc change 2000-09-08 21:34:28 +00:00

updated for 9.1 2000-11-30 23:24:01 +00:00			$Id: migration,v 1.16 2000/11/30 23:24:01 gson Exp $