Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for 
terms.
		   

                   BIND 8 to BIND 9 MIGRATION NOTES
                   --------------------------------
                   
Introduction
------------
 		  	    
This document provides information about differences between BIND 8 and
BIND 9. BIND 9 is upwards compatible with most BIND 8 features. However, 
there are still a number of caveats you should be aware of when upgrading 
an existing BIND 8 installation to use BIND 9. Be sure to read this 
entire document before installing and using BIND 9.

This document contains the following sections:
	* Section A, 1-7 Overview of Differences Between BIND 8 and BIND 9
	* Section 8      BIND 9 name server and the Service Management Facility
	* Appendix I     Implementing rndc
	* Appendix II    BIND 9 Commands, Options, Files, and Tools
	* Appendix III   The named.conf Options

Additional information and documentation about BIND 9, including an
Administrator Reference Manual is available on the ISC web site at 
http://www.isc.org

The words "named", "DNS server", "name server" and "BIND 9 server"
are used interchangably to denote the Internet Systems Consortium
BIND version 9 DNS server throughout this document.

Overview of Differences Between BIND 8 and BIND 9
-------------------------------------------------

Below is a list of changes between BIND 8 and BIND 9, including brief 
descriptions. For more detailed information, see the appropriate 
subsection for each item.

Configuration File Compatibility, 	Section 1.0
    * unimplemented options warning message	1.1
    * "transfer-format" option changes		1.1
    * configuration file errors 			1.2
    * logging categories have changed		1.3
    * configuration file startup errors		1.3
    * "query-source" is deprecated		1.4
    * multiple classes change			1.5

Zone File Compatibility, 		Section 2.0
    * stricter rules for TTLs in zone file	2.1
    * SOA serial number changes			2.2
    * unbalanced quotes cause errors		2.3
    * line breaks, syntax change		2.4
    * use /$ instead of $$ in domain names	2.5

Interoperability Impact of New Protocol  
Features,				Section 3.0
    * EDNS0 new in BIND 9			3.1
    * zone transfers default change		3.2

Unrestricted Character Set,		Section 4.0
    * no restrictions on character set		4.0
    * security issue, improper naming		4.0

Server Administration Tools, 		Section 5.0
    * the rndc program replaces ndc		5.1
    * nsupdate: changes in multiple updates 	5.2

No Information Leakage Between Zones,	Section 6.0
    * glue NS records handled differently	6.0
	
Umask Not Modified,			Section 7.0
    * possible umask permissions issues		7.0



1. Configuration File Compatibility

1.1. Unimplemented Options and Changed Defaults

The BIND 9 name server supports most, but not all, of the configuration
options of the BIND 8 name server. For a complete list of implemented 
options, see Appendix III of this document.

If your named.conf file uses an unimplemented option, the BIND 9 name 
server will log a warning message. A message is also logged about each
option whose default has changed unless the option is set explicitly 
in named.conf.

The default of the "transfer-format" option has changed from
"one-answer" to "many-answers".  If you have slave servers that do
not understand the "many-answers" zone transfer format (e.g., BIND
4.9.5 and older) you need to explicitly specify 
"transfer-format one-answer;" in either the options block or a 
server statement.

1.2. Handling of Configuration File Errors

In BIND 9, named refuses to start if it detects an error in
named.conf.  Earlier versions would start despite errors, causing
the server to run with a partial configuration.  Errors detected
during subsequent reloads do not cause the server to exit.

Errors in master files do not cause the server to exit, but they
do cause the zone not to load.

1.3. Logging

The set of logging categories in BIND 9 is different from that
in BIND 8.  If you have customized your logging on a per-category
basis, you need to modify your logging statement to use the
new categories.

Another difference is that the "logging" statement only takes effect
after the entire named.conf file has been read.  This means that when
the server starts up, any messages about errors in the configuration
file are always logged to the default destination (syslog) when the
server first starts up, regardless of the contents of the "logging"
statement.  In BIND 8, the new logging configuration took effect
immediately after the "logging" statement was read.

1.4. Notify Messages and Refresh Queries

The source address and port for these is now controlled by
"notify-source" and "transfer-source", respectively, rather than
"query-source" as in BIND 8.

1.5. Multiple Classes

Multiple classes have to be put into explicit views for each class.


2. Zone File Compatibility

2.1. Strict RFC1035 Interpretation of TTLs in Zone Files

BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
omitted time-to-live (TTL) entries in zone files.  Omitted TTLs are 
replaced by the value specified with the $TTL directive, or by the 
previous explicit TTL if there is no $TTL directive.

If there is no $TTL directive and the first Resource Record (RR) in the 
file does not have an explicit TTL field, the zone file is illegal 
according to RFC1035 since the TTL of the first RR is undefined.  
Unfortunately, BIND 4 and many versions of BIND 8 accept such files 
without warning and use the value of the SOA MINTTL field as a default 
for missing TTL values.

Earlier versions of BIND 9 refused to load such files. However, BIND
9.2.4 loads the files anyway (provided the SOA is the first record 
in the file), but will issue a TTL warning message.

To avoid problems, we recommend that you use a $TTL directive in each
zone file.

2.2. Periods in SOA Serial Numbers Deprecated

Some versions of BIND allow SOA serial numbers with an embedded
period, like "3.002", and convert them into integers in a rather
unintuitive way.  This feature is not supported by BIND 9; serial
numbers must be integers.

2.3. Handling of Unbalanced Quotes

TXT records with unbalanced quotes, like 'host TXT "foo', were not
treated as errors in some versions of BIND.  If your zone files
contain such records, you will get potentially confusing error
messages like "unexpected end of file" because BIND 9 will interpret
everything up to the next quote character as a literal string.

2.4. Handling of Line Breaks

Some versions of BIND accept RRs containing line breaks that are not
properly quoted with parentheses, like the following SOA:

	@	IN SOA	ns.example. hostmaster.example.
			( 1 3600 1800 1814400 3600 )

This is not legal master file syntax and will be treated as an error
by BIND 9. The fix is to move the opening parenthesis to the first
line.

2.5. Unimplemented BIND 8 Extensions

$GENERATE: The "$$" construct for getting a literal $ into a domain
name is deprecated.  Use \$ instead.


3. Interoperability Impact of New Protocol Features

3.1. EDNS0

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
also sets an EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses; this flag bit usage is not yet standardised,
but we hope it will be.

Most older servers that do not support EDNS0, including prior versions
of BIND, will send a FORMERR or NOTIMP response to these queries.
When this happens, BIND 9 will automatically retry the query without
EDNS0.

Unfortunately, there exists at least one non-BIND name server
implementation that silently ignores these queries instead of sending
an error response.  Resolving names in zones where all or most
authoritative servers use this server will be very slow or fail
completely. The manufacturer of the name server is working on a 
solution.

When BIND 9 communicates with a server that does support EDNS0, such
as another BIND 9 server, responses of up to 4096 bytes may be
transmitted as a single UDP datagram which is subject to fragmentation
at the IP level.  If a firewall incorrectly drops IP fragments, it can
cause resolution to slow down dramatically or fail.

3.2. Zone Transfers

Outgoing zone transfers now use the "many-answers" format by default.
This format is not understood by certain old versions of BIND 4.  
You can work around this problem using the option "transfer-format
one-answer;", but since these old versions all have known security
problems, the correct fix is to upgrade the slave servers.

Zone transfers to Windows 2000 DNS servers sometimes fail due to a
bug in the Windows 2000 DNS server where DNS messages larger than
16K are not handled properly.  Obtain the latest service pack for
Windows 2000 from Microsoft to address this issue.  In the meantime,
the problem can be worked around by setting "transfer-format 
one-answer;".
http://support.microsoft.com/default.aspx?scid=kb;en-us;297936

4. Unrestricted Character Set

BIND 9 does not restrict the character set of domain names--it is
fully 8-bit clean in accordance with RFC2181 section 11.

It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9.2.4 will not enforce this restriction.

Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause
a breach of security when containing unexpected characters; see
<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
for details.  Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses,
under the control of the "check-names" option in named.conf and/or
"options no-check-names" in resolv.conf.  BIND 9.2.4 provides no
such protection; if applications with these flaws are still being
used, they should be upgraded.


5. Server Administration Tools

5.1 ndc Replaced by rndc

The "ndc" program has been replaced by "rndc", which is capable of
remote operation.  Unlike ndc, rndc requires a configuration file.
The easiest way to generate a configuration file is to run
"rndc-confgen -a"; see the man pages for rndc(1M), rndc-confgen(1M),
and rndc.conf(5) for details. While upgrading from previous Solaris
releases to Solaris 10, the upgrade process will detect if a
/etc/rndc.key or /etc/rndc.conf file exists. If neither file is
found, it runs "rndc-confgen -a" and generates /etc/rndc.key
so that rndc can be run with a local DNS name server without 
further user intervention.

More information about rndc is available in "Implementing rndc",
later in this document.



5.2. nsupdate Differences

The BIND 8 implementation of nsupdate had an undocumented feature
where an update request would be broken down into multiple requests
based upon the discovered zones that contained the records.  This
behaviour has not been implemented in BIND 9.  Each update request
must pertain to a single zone, but it is still possible to do
multiple updates in a single invocation of nsupdate by terminating
each update with an empty line or a "send" command.


6. No Information Leakage Between Zones

BIND 9 stores the authoritative data for each zone in a separate data
structure, as recommended in RFC1035 and as required by DNSSEC and
IXFR.  When a BIND 9 server is authoritative for both a child zone
and its parent, it will have two distinct sets of NS records at the
delegation point: the authoritative NS records at the child's apex,
and a set of glue NS records in the parent.

BIND 8 was unable to properly distinguish between these two sets of
NS records and would "leak" the child's NS records into the parent,
effectively causing the parent zone to be silently modified: responses
and zone transfers from the parent contained the child's NS records
rather than the glue configured into the parent (if any).  In the
case of children of type "stub", this behaviour was documented as a 
feature, allowing the glue NS records to be omitted from the parent
configuration.

Sites that were relying on this BIND 8 behaviour need to add any
omitted glue NS records, and any necessary glue A records, to the
parent zone.

Although stub zones can no longer be used as a mechanism for 
injecting NS records into their parent zones, they are still useful
as a way of directing queries for a given domain to a particular 
set of name servers.


7. Umask Not Modified

The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
not; the umask inherited from the parent process remains in effect.
This may cause files created by named, such as journal files, to be
created with different file permissions than they did in BIND 8.  If
necessary, the umask should be set explicitly in the script used to
start the named process.

8. BIND 9 name server and the Service Management Facility

The DNS BIND 9 named(1M) service can be managed by using the Service
Management Facility (SMF). For more information, see the smf(5) man
page. The SUNWbindr package provides the BIND 9 service manifest 
and must be installed.

When you use SMF, the following items apply.

- Administrative actions on this service, such as enabling, disabling,
or restarting, can be performed by using the svcadm(1M) command.

- The default Fault Managed Resource Identifier (FMRI) for the BIND 9
DNS server is svc:/network/dns/server. The FMRI for the DNS client is
svc:/network/dns/client.

- You can query the state of the BIND 9 DNS service by using svcs(1). 
	#svcs network/dns/server

The upgrade to Solaris 10 will detect an existing /etc/named.conf file
and enable the BIND 9 service to startup after the upgrade is completed
and the system is rebooted.

To start the BIND 9 DNS service on a Solaris 10 system:

a. Create/Copy a valid /etc/named.conf file.
b. Verify that the SUNWbind and SUNWbindr packages, including any
   required packages are installed correctly.
c. #svcadm enable network/dns/server

While it is recommended that you use svcadm(1M) to administer the server,
you can use rndc(1M) as well. SMF is aware of the state change of the BIND
9 named service, whether administered by using svcadm(1M) or rndc(1M).

NOTE: smf(5) will not be aware of the BIND 9 named(1M) service 
if the service is manually executed from the command line.

If you need to start named(1M) with different options (for example
with a configuration file other that /etc/named.conf), change the 
"start method" property of the BIND 9 service manifest using the 
svccfg(1M) command. For example,
svccfg -s dns/server setprop start/exec="Foo"

Multiple smf(5) service instances are only needed if you want to
run multiple copies of BIND 9 name service. Each additional instance
can be specified in the BIND 9 service manifest with a different 
start method.

For more information about the Service Management Facility, refer to 
"Managing Services (Overview)" in System Administration Guide: Basic 
Administration, available on http://docs.sun.com. Also refer to smf(5), 
svcs(1), svcadm(1M), svccfg(1M) man pages and the BIND 9 name service
manifest server.xml in /var/svc/manifest/network/dns.


		*************************************


			    APPENDICES I-III
			    
				
Appendix I	Implementing rndc
            -----------------

The BIND 8 ndc(1M) and BIND 9 rndc(1M) name server control tools are
NOT backward compatible: rndc can't talk to the BIND 8 name server 
and ndc can't talk to the BIND 9 name server. Features, options, 
default modes of operation, and configuration file requirements 
have changed.


Ia. The rndc.conf Configuration File
    --------------------------------

The most significant difference between ndc in BIND 8 and rndc in BIND 9 
is that rndc needs its own configuration file, rndc.conf. This file can 
be generated by rndc-confgen(1M) commands. The rndc.conf file specifies 
which server controls and what algorithm the server should use. Note that
the /etc/rndc.conf and matching /etc/named.conf information is only needed
when using rndc to manage a remote BIND 9 name server. If rndc is only 
used to manage a local BIND 9 name server, the /etc/rndc.key is sufficient.

     Sample rndc.conf File
     ---------------------

     options {
             default-server localhost;
             default-key "rndc-key";
     };

     key "rndc-key" {
             algorithm hmac-md5;
             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
     };


     Sample named.conf File Entry for rndc
     -------------------------------------

     controls {
             inet * allow { any; } keys { "rndc-key"; };
     };

     key "rndc-key" {
             algorithm hmac-md5;
             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
     };
 
            

Ib. Differences in the Control Channels
    -----------------------------------

Both the ndc(1M) and the rndc(1M) utilities use a control channel to 
send commands to and retrieve information from a name server. However, 
there are differences between the utilities.

	* In BIND 8, ndc can use AF_UNIX domain sockets (UNIX control 
channel) or TCP/IP sockets (inet control channel). By default, ndc
does not need any support in /etc/named.conf, because BIND 8 servers
use a UNIX domain socket with a path (/var/run/ndc.d/ndc) compiled
into in.named. 

In BIND 9, rndc uses an authenticated TCP/IP inet control channel,
by default and is not backward compatible with BIND 8.

	* When using rndc, you need to specify a 'key' clause to 
communicate with the name server. It is mandatory that the BIND 9
server and the rndc client share the same key. Using the BIND 8 
controls entry in BIND 9 will result in an error message. 

	* Some command options have changed from the ndc to the rndc 
implementation. This includes the "-c" option, which has a different 
syntax in BIND 9. Therefore, to specify the control channel in 
BIND 9, use "rndc -s <server> -p <port>".



Ic. Commands of BIND 9 rndc
    -----------------------
  reload			 Reload configuration file and zones.
  reload zone [class [view]]	 Reload a single zone.
  refresh zone [class [view]] 	 Schedule immediate maintenance 
				  for a zone.
  reconfig      		 Reload configuration file and new
				  zones only.
  stats 			 Write server statistics to the
				  statistics file.
  querylog      		 Toggle query logging.
  dumpdb   			 Dump cache(s) to the dump file
				  (named_dump.db).
  stop				 Save pending updates to master files
				  and stop the server.
  halt          		 Stop the server without saving 
				  pending updates.
  trace				 Increment debugging level by one.
  trace level			 Change the debugging level.
  notrace			 Set debugging level to 0.
  flush				 Flushes all of the server's caches.
  flush [view]			 Flushes the server's cache for a view.
  status			 Display status of the server.
  restart*			 Restart the server.

  * = not yet implemented

			

Appendix II	BIND 9 Commands, Files, Tools, and Options
		------------------------------------------

IIa. Comparison of BIND 8 and BIND 9 Commands and Files
     --------------------------------------------------

The table below compares BIND 8 and BIND 9 commands and 
configuration files. BIND 9 man pages install in /usr/man. 

    -------------------------------------------------
    |   BIND 8 Command     | BIND 9.2.x replacement |
    -------------------------------------------------
    |   dnskeygen(1M)      |   dnssec-keygen(1M)    |
    |   ndc(1M)            |   rndc(1M)             |      
    |   named-bootconf(1M) |   NONE NEEDED          |
    |   nsupdate(1M)       |   nsupdate(1M)         |
    |   nslookup(1M)       |   nslookup(1M)         |
    |   named-xfer(1M)     |   NONE NEEDED          |
    |   in.named(1M)       |   named(1M)            |
    |   named.conf(4)      |   named.conf*          |
    |   dig(1M)            |   dig(1M)              |
    -------------------------------------------------

* A detailed named.conf man page is not included with BIND 9.2.4.
Appendix III includes a summary of the named.conf options that are
supported in BIND 9.2.4.
    
    
 IIb. BIND 9 Tools and Configuration Files
     ------------------------------------

   The following BIND 9.2.x tools are available in the SUNWbind
   package and install in /usr/sbin.

     named            
     nsupdate         
     rndc             
     dnssec-keygen  
     nslookup       
     dig             
     dnssec-makekeyset
     dnssec-signkey   
     dnssec-signzone  
     named-checkconf  
     named-checkzone 
     rndc-confgen  
     host 
     
   The following BIND 9.2.x configuration files are supported.
     
     /etc/rndc.conf
    

IIc. Descriptions of Command and Option Changes
     ------------------------------------------

All incompatibles listed below are BIND 8 features/interfaces that are
not supported in the equivalent BIND 9 binary. This is not intended to
be an exhaustive list of the options, command line options or features
for any BIND 9.2.x command.

1. in.named(1M): DNS Name server in.named command line options.

   In the BIND 9.2.x name server, the "-g group_name", "-q", "-r" and "-w 
   directory" options are not supported, and "-c config_file" replaces 
   the BIND 8.x "-b config_file". See the named man page for further 
   details.

2. dnssec-keygen: dnskeygen(1M) in BIND 8.x used to generate keys and
   dnssec-keygen from BIND 9.2.x, have no common options. See the 
   dnssec-keygen man page for further details.

3. rndc(1M): See Appendix I in this document.

4. nsupdate(1M): in BIND 9.2.x, the syntax of the "-k" option changes
   in nsupdate. Instead of "-k keydir::keyname" the syntax is now
   "-k keyfile". The only other difference is that whereas a blank
   line was used to signal sending the input to the server, an
   explicit "send" sub-command is now used to do the same. See the
   nsupdate man page for further details.

5. nslookup(1M): the following options are unsupported in the
   BIND 9.2.x version.

   help, host server, set ignoretc, set noignoretc,
   set srch[list]=N1[/N2/.../N6], set ro[ot]=host, root, 
   finger [USER], ls [opt] DOMAIN [> FILE].

6. named.conf: several options are unsupported, not implemented or
   have changed defaults. For a list of the option changes and a
   summary of all named.conf options, see Appendix III.
   
   
   
   
Appendix III	The named.conf Options
                ----------------------

IIIa.	Changes in the Options Section
        ------------------------------

The following list compares the named.conf options between BIND 8
and BIND 9. It also provides a brief description of the change.
"OK" denotes the option works unchanged for the BIND 9 named.

   options {
     [ version version_string; ]		  OK
     [ directory path_name; ]			  OK
     [ named-xfer path_name; ] 			  Obsolete (*1)
     [ dump-file path_name; ] 			  OK
     [ memstatistics-file path_name; ] 		  Not Implemented 
     [ pid-file path_name; ] 			  OK
     [ statistics-file path_name; ]		  OK
     [ auth-nxdomain yes_or_no; ] 		  OK (*2)
     [ dialup yes_or_no; 			  OK
     [ fake-iquery yes_or_no; ] 		  Obsolete
     [ fetch-glue yes_or_no; ]			  Obsolete
     [ has-old-clients yes_or_no; ]		  Obsolete
     [ host-statistics yes_or_no; ]		  Not Implemented
     [ host-statistics-max number; ]		  Not Implemented
     [ multiple-cnames yes_or_no; ]		  Obsolete
     [ notify yes_or_no | explicit; ]		  OK
     [ recursion yes_or_no; ]			  OK
     [ rfc2308-type1 yes_or_no; ]		  Not Implemented
     [ use-id-pool yes_or_no; ]			  Obsolete
     [ treat-cr-as-space yes_or_no; ]		  Obsolete
     [ also-notify yes_or_no; ] 		  Syntax Changed (*3)
     [ forward ( only | first ); ] 		  OK (*4)
     [ forwarders { [ in_addr ; \
     [ in_addr ; ... ] ] }; ] 			  OK (*5)
     [ check-names ( master | slave | \
       response ) ( warn | fail | ignore); ] 	  Not Implemented
     [ allow-query { address_match_list }; ]	  OK
     [ allow-recursion { address_match_list }; ]  OK
     [ allow-transfer { address_match_list }; ]	  OK
     [ blackhole { address_match_list }; ]	  OK
     [ listen-on [ port ip_port ] \
       { address_match_list }; ]		  OK
     [ query-source [ address ( ip_addr | * ) ]	\ OK
     [ port ( ip_port | * ) ] ; ]
     [ lame-ttl number; ]			  OK
     [ max-transfer-time-in number; ]		  OK
     [ max-ncache-ttl number; ]			  OK
     [ min-roots number; ]			  Not Implemented
     [ transfer-format ( one-answer | \
       many-answers ); ] 			  OK (*6)
     [ transfers-in  number; ]			  OK
     [ transfers-out number; ]			  OK
     [ transfers-per-ns number; ]		  OK
     [ transfer-source ip_addr; ]		  OK
     [ maintain-ixfr-base yes_or_no; ]		  Obsolete
     [ max-ixfr-log-size number; ]		  Obsolete (*7)
     [ coresize size_spec ; ]			  OK
     [ datasize size_spec ; ]			  OK
     [ files size_spec ; ]			  OK
     [ stacksize size_spec ; ]			  OK
     [ cleaning-interval number; ]		  OK
     [ heartbeat-interval number; ]		  OK
     [ interface-interval number; ]		  OK
     [ statistics-interval number; ]		  Not Implemented
     [ topology { address_match_list }; ]	  Not Implemented
     [ sortlist { address_match_list }; ]	  OK
     [ rrset-order { order_spec ; \
     [ order_spec ; ... ] }; ]			  Not Implemented
     };

(*1) Obsolete due to architectural differences.
(*2) Default set to yes in BIND 8, no in BIND 9.
(*3) Needs an IP address for "yes".
(*4) Doesn't work if no forwarder specified; Gives an error of "no
     matching 'forwarders' statement" in that case.
(*5) See [ forward ] clause
(*6) Default set to one-answer in BIND 8 and many-answers in BIND 9.
(*7) No need for this option as BIND 9 trims the size of its
     log file automatically.

 

IIIb.	Statements in BIND 9
        --------------------
			
The Controls Statement
----------------------
  Syntax
     controls {
       [ inet ip_addr
         port ip_port
         allow { address_match_list; }; ]	OK
       [ unix path_name
         perm number
         owner number
         group number; ]			Not Implemented
     };

  Note: "unix" is the default for ndc(1M) and all of the arguments
  are compiled in.

  "inet" is the only option for rndc and nothing is compiled in.

  Logging syntax has changed significantly. See section IIIc for a
  list of named.conf options.


The Zone Statement
------------------
  The syntax for the zone statement in the BIND 8 named.conf man page
  is mostly supported for BIND 9 except for the following:

  [ pubkey number number number string; ]	Obsolete
  [ check-names ( warn | fail | ignore ); ]	Not Implemented


The ACL Statement
-----------------
  Syntax
     acl name {
       address_match_list
     };

  Works unchanged in BIND 9.


The Key Statement
-----------------
  Syntax
     key key_id {
       algorithm algorithm_id;
       secret secret_string;
     };

  Works unchanged in BIND 9.


The Trusted-Keys Statement
--------------------------
  Syntax
     trusted-keys {
       [ domain_name flags protocol algorithm key; ]
     };

  Works unchanged, however the code to use this 
  statement has been turned off in BIND 9.2.4.


The Server Statement
--------------------
  Syntax
     server ip_addr {
       [ bogus yes_or_no; ]
       [ transfers number; ]
       [ transfer-format ( one-answer | many-answers ); ]
       [ keys { key_id [ key_id ... ] }; ]
       [ edns yes_or_no; ]
     };

* "support-ixfr" is obsolete, however all of the above options work 
  unchanged in BIND 9. Note the default for transfer-format has changed.


The Include Statement
---------------------
  Syntax
     include path_name;

  Works unchanged in BIND 9.




IIIc.	Summary of the named.conf Options
	---------------------------------

A detailed named.conf man page is not included with BIND 9.2.4. 
Following is a summary of the named.conf options that are 
supported in BIND 9.2.4.

options {
        blackhole { <address_match_element>; ... };
        coresize <size>;
        datasize <size>;
        deallocate-on-exit <boolean>; // obsolete
        directory <quoted_string>;
        dump-file <quoted_string>;
        fake-iquery <boolean>; // obsolete
        files <size>;
        has-old-clients <boolean>; // obsolete
        heartbeat-interval <integer>;
        host-statistics <boolean>; // not implemented
        host-statistics-max <integer>; // not implemented
        interface-interval <integer>;
        listen-on [ port <integer> ] { <address_match_element>; ... };
        listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
        match-mapped-addresses <boolean>;
        memstatistics-file <quoted_string>; // not implemented
        multiple-cnames <boolean>; // obsolete
        named-xfer <quoted_string>; // obsolete
        pid-file <quoted_string>;
        port <integer>;
        random-device <quoted_string>;
        recursive-clients <integer>;
        rrset-order { [ class <string> ] [ type <string> ] [ name
            <quoted_string> ] <string> <string>; ... }; // not implemented
        serial-queries <integer>; // obsolete
        serial-query-rate <integer>;
        stacksize <size>;
        statistics-file <quoted_string>;
        statistics-interval <integer>; // not yet implemented
        tcp-clients <integer>;
        tkey-dhkey <quoted_string> <integer>;
        tkey-gssapi-credential <quoted_string>;
        tkey-domain <quoted_string>;
        transfers-per-ns <integer>;
        transfers-in <integer>;
        transfers-out <integer>;
        treat-cr-as-space <boolean>; // obsolete
        use-id-pool <boolean>; // obsolete
        use-ixfr <boolean>;
        version <quoted_string>;
        allow-recursion { <address_match_element>; ... };
        allow-v6-synthesis { <address_match_element>; ... };
        sortlist { <address_match_element>; ... };
        topology { <address_match_element>; ... }; // not implemented
        auth-nxdomain <boolean>; // default changed
        minimal-responses <boolean>;
        recursion <boolean>;
        provide-ixfr <boolean>;
        request-ixfr <boolean>;
        fetch-glue <boolean>; // obsolete
        rfc2308-type1 <boolean>; // not yet implemented
        additional-from-auth <boolean>;
        additional-from-cache <boolean>;
        query-source <querysource4>;
        query-source-v6 <querysource6>;
        cleaning-interval <integer>;
        min-roots <integer>; // not implemented
        lame-ttl <integer>;
        max-ncache-ttl <integer>;
        max-cache-ttl <integer>;
        transfer-format ( many-answers | one-answer );
        max-cache-size <size_no_default>;
        check-names <string> <string>; // not implemented
        cache-file <quoted_string>;
        allow-query { <address_match_element>; ... };
        allow-transfer { <address_match_element>; ... };
        allow-update-forwarding { <address_match_element>; ... };
        allow-notify { <address_match_element>; ... };
        notify <notifytype>;
        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
            ) [ port <integer> ]; ... };
        dialup <dialuptype>;
        forward ( first | only );
        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
            [ port <integer> ]; ... };
        maintain-ixfr-base <boolean>; // obsolete
        max-ixfr-log-size <size>; // obsolete
        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
        max-transfer-time-in <integer>;
        max-transfer-time-out <integer>;
        max-transfer-idle-in <integer>;
        max-transfer-idle-out <integer>;
        max-retry-time <integer>;
        min-retry-time <integer>;
        max-refresh-time <integer>;
        min-refresh-time <integer>;
        sig-validity-interval <integer>;
        zone-statistics <boolean>;
};

controls {
        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
            ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ];
        unix <unsupported>; // not implemented
};

acl <string> { <address_match_element>; ... };

logging {
        channel <string> {
                file <logfile>;
                syslog <optional_facility>;
                null;
                stderr;
                severity <logseverity>;
                print-time <boolean>;
                print-severity <boolean>;
                print-category <boolean>;
        };
        category <string> { <string>; ... };
};

view <string> <optional_class> {
        match-clients { <address_match_element>; ... };
        match-destinations { <address_match_element>; ... };
        match-recursive-only <boolean>;
        key <string> {
                algorithm <string>;
                secret <string>;
        };
        zone <string> <optional_class> {
                type ( master | slave | stub | hint | forward );
                allow-update { <address_match_element>; ... };
                file <quoted_string>;
                ixfr-base <quoted_string>; // obsolete
                ixfr-tmp-file <quoted_string>; // obsolete
                masters [ port <integer> ] { ( <ipv4_address> |
                    <ipv6_address> ) [ port <integer> ] [ key <string> ]; ... };
                pubkey <integer> <integer> <integer> <quoted_string>; //
                    obsolete
                update-policy { ( grant | deny ) <string> ( name |
                    subdomain | wildcard | self ) <string> <rrtypelist>; ... };
                database <string>;
                check-names <string>; // not implemented
                allow-query { <address_match_element>; ... };
                allow-transfer { <address_match_element>; ... };
                allow-update-forwarding { <address_match_element>; ... };
                allow-notify { <address_match_element>; ... };
                notify <notifytype>;
                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
                    ) ];
                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
                    | * ) ];
                also-notify [ port <integer> ] { ( <ipv4_address> |
                    <ipv6_address> ) [ port <integer> ]; ... };
                dialup <dialuptype>;
                forward ( first | only );
                forwarders [ port <integer> ] { ( <ipv4_address> |
                    <ipv6_address> ) [ port <integer> ]; ... };
                maintain-ixfr-base <boolean>; // obsolete
                max-ixfr-log-size <size>; // obsolete
                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
                    * ) ];
                transfer-source-v6 ( <ipv6_address> | * ) [ port (
                    <integer> | * ) ];
                max-transfer-time-in <integer>;
                max-transfer-time-out <integer>;
                max-transfer-idle-in <integer>;
                max-transfer-idle-out <integer>;
                max-retry-time <integer>;
                min-retry-time <integer>;
                max-refresh-time <integer>;
                min-refresh-time <integer>;
                sig-validity-interval <integer>;
                zone-statistics <boolean>;
        };
        server {
                bogus <boolean>;
                provide-ixfr <boolean>;
                request-ixfr <boolean>;
                support-ixfr <boolean>; // obsolete
                transfers <integer>;
                transfer-format ( many-answers | one-answer );
                keys <server_key>;
                edns <boolean>;
        };
        trusted-keys { <string> <integer> <integer> <integer>
            <quoted_string>; ... };
        allow-recursion { <address_match_element>; ... };
        allow-v6-synthesis { <address_match_element>; ... };
        sortlist { <address_match_element>; ... };
        topology { <address_match_element>; ... }; // not implemented
        auth-nxdomain <boolean>; // default changed
        minimal-responses <boolean>;
        recursion <boolean>;
        provide-ixfr <boolean>;
        request-ixfr <boolean>;
        fetch-glue <boolean>; // obsolete
        rfc2308-type1 <boolean>; // not yet implemented
        additional-from-auth <boolean>;
        additional-from-cache <boolean>;
        query-source <querysource4>;
        query-source-v6 <querysource6>;
        cleaning-interval <integer>;
        min-roots <integer>; // not implemented
        lame-ttl <integer>;
        max-ncache-ttl <integer>;
        max-cache-ttl <integer>;
        transfer-format ( many-answers | one-answer );
        max-cache-size <size_no_default>;
        check-names <string> <string>; // not implemented
        cache-file <quoted_string>;
        allow-query { <address_match_element>; ... };
        allow-transfer { <address_match_element>; ... };
        allow-update-forwarding { <address_match_element>; ... };
        allow-notify { <address_match_element>; ... };
        notify <notifytype>;
        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
            ) [ port <integer> ]; ... };
        dialup <dialuptype>;
        forward ( first | only );
        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
            [ port <integer> ]; ... };
        maintain-ixfr-base <boolean>; // obsolete
        max-ixfr-log-size <size>; // obsolete
        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
        max-transfer-time-in <integer>;
        max-transfer-time-out <integer>;
        max-transfer-idle-in <integer>;
        max-transfer-idle-out <integer>;
        max-retry-time <integer>;
        min-retry-time <integer>;
        max-refresh-time <integer>;
        min-refresh-time <integer>;
        sig-validity-interval <integer>;
        zone-statistics <boolean>;
};

lwres {
        listen-on [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
            [ port <integer> ]; ... };
        view <string> <optional_class>;
        search { <string>; ... };
        ndots <integer>;
};

key <string> {
        algorithm <string>;
        secret <string>;
};

zone <string> <optional_class> {
        type ( master | slave | stub | hint | forward );
        allow-update { <address_match_element>; ... };
        file <quoted_string>;
        ixfr-base <quoted_string>; // obsolete
        ixfr-tmp-file <quoted_string>; // obsolete
        masters [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [
            port <integer> ] [ key <string> ]; ... };
        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
        update-policy { ( grant | deny ) <string> ( name | subdomain |
            wildcard | self ) <string> <rrtypelist>; ... };
        database <string>;
        check-names <string>; // not implemented
        allow-query { <address_match_element>; ... };
        allow-transfer { <address_match_element>; ... };
        allow-update-forwarding { <address_match_element>; ... };
        allow-notify { <address_match_element>; ... };
        notify <notifytype>;
        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
            ) [ port <integer> ]; ... };
        dialup <dialuptype>;
        forward ( first | only );
        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
            [ port <integer> ]; ... };
        maintain-ixfr-base <boolean>; // obsolete
        max-ixfr-log-size <size>; // obsolete
        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
        max-transfer-time-in <integer>;
        max-transfer-time-out <integer>;
        max-transfer-idle-in <integer>;
        max-transfer-idle-out <integer>;
        max-retry-time <integer>;
        min-retry-time <integer>;
        max-refresh-time <integer>;
        min-refresh-time <integer>;
        sig-validity-interval <integer>;
        zone-statistics <boolean>;
};

server {
        bogus <boolean>;
        provide-ixfr <boolean>;
        request-ixfr <boolean>;
        support-ixfr <boolean>; // obsolete
        transfers <integer>;
        transfer-format ( many-answers | one-answer );
        keys <server_key>;
        edns <boolean>;
};

trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
