37bb75f740
1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users. 2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used.
58 lines
2.0 KiB
Plaintext
58 lines
2.0 KiB
Plaintext
Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
|
Copyright (C) 2001 Internet Software Consortium.
|
|
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
|
|
|
|
$Id: migration-4to9,v 1.4 2004-03-05 05:04:53 marka Exp $
|
|
|
|
BIND 4 to BIND 9 Migration Notes
|
|
|
|
To transition from BIND 4 to BIND 9 you first need to convert your
|
|
configuration file to the new format. There is a conversion tool in
|
|
contrib/named-bootconf that allows you to do this.
|
|
|
|
named-bootconf.sh < /etc/named.boot > /etc/named.conf
|
|
|
|
BIND 9 uses a system assigned port for the UDP queries it makes rather
|
|
than port 53 that BIND 4 uses. This may conflict with some firewalls.
|
|
The following directives in /etc/named.conf allows you to specify
|
|
a port to use.
|
|
|
|
query-source address * port 53;
|
|
transfer-source * port 53;
|
|
notify-source * port 53;
|
|
|
|
BIND 9 no longer uses the minimum field to specify the TTL of records
|
|
without a explicit TTL. Use the $TTL directive to specify a default TTL
|
|
before the first record without a explicit TTL.
|
|
|
|
$TTL 3600
|
|
@ IN SOA ns1.example.com. hostmaster.example.com. (
|
|
2001021100
|
|
7200
|
|
1200
|
|
3600000
|
|
7200 )
|
|
|
|
BIND 9 does not support multiple CNAMEs with the same owner name.
|
|
|
|
Illegal:
|
|
www.example.com. CNAME host1.example.com.
|
|
www.example.com. CNAME host2.example.com.
|
|
|
|
BIND 9 does not support "CNAMEs with other data" with the same owner name,
|
|
ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support.
|
|
|
|
Illegal:
|
|
www.example.com. CNAME host1.example.com.
|
|
www.example.com. MX 10 host2.example.com.
|
|
|
|
BIND 9 is less tolerant of errors in master files, so check your logs and
|
|
fix any errors reported. The named-checkzone program can also be to check
|
|
master files.
|
|
|
|
Outgoing zone transfers now use the "many-answers" format by default.
|
|
This format is not understood by certain old versions of BIND 4.
|
|
You can work around this problem using the option "transfer-format
|
|
one-answer;", but since these old versions all have known security
|
|
problems, the correct fix is to upgrade the slave servers.
|