Feature #1233


Bind 9.8 with RFC 5011 DNSSEC root key already defined

Added by r a almost 11 years ago. Updated over 9 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
8.00 h


Can OpenIndiana be shipped with Bind v9.8 as the default version, and also have Bind configured by default to have DNSSEC enabled and for DNSSEC validation to occur and have a valid Root Key along with the root hints file. With RFC5011 Bind will auto update the DNSSEC root key providing it has one valid key defined.

Actions #1

Updated by Chris Jordan almost 11 years ago

  • Assignee set to OI SFW
  • Tags changed from needs-triage to bind
Actions #2

Updated by Ken Mays over 10 years ago

  • Status changed from New to Closed
Actions #3

Updated by Ken Mays over 10 years ago

  • Status changed from Closed to New
Actions #4

Updated by Ken Mays over 10 years ago

  • Due date set to 2011-09-14
  • Category changed from Security to 10
  • Assignee changed from OI SFW to OI Userland
  • Estimated time set to 8.00 h
Actions #5

Updated by Ken Mays over 10 years ago

  • Difficulty changed from Medium to Bite-size

Bind-9.8.1 test build completed successfully and packaged on oi_151a. Added DNSSEC, valid Root Key, and root hints file. Just need to update Userland consolidation or promote to SFE.

Actions #6

Updated by Bayard Bell about 10 years ago

  • Priority changed from Normal to Low

bind is pending upgrade, but likely not to the latest and greatest. We are also looking at providing root key automation for the validating recursive DNS servers.

Actions #7

Updated by r a about 10 years ago


Bind 9.9 was released on the 29th February and includes the following improvements detailed below and includes RFC 5011 for auto update of Root Key Signing Key. Can this be next default release?

Inline Signing

This feature greatly simplifies the deployment of DNSSEC by allowing completely automatic, fully transparent signing of zones. Using the new 'inline-signing' option in a master server allows named to switch on DNSSEC in a zone without modifying the original zone file in any way. Using it in a slave server allows a zone to be signed even if it's served from a master database that doesn't support DNSSEC.

Some example configurations may be found at

NXDOMAIN Redirection

This is a mechanism for resolver operators to redirect users when a query would have otherwise resulted in "no such domain". This allows an ISP, for example, to provide alternate suggestions for misspelled domain names. (Whenever DNSSEC validation is requested by the client and requested name is in a DNSSEC-signed domain, NXDOMAIN redirection will not take place.)
Multiprocessing Performance Improvements

When built with thread support and when running on multicore UNIX or Linux systems, named can now use multiple threads to listen for incoming UDP traffic. On some architectures, this allows a significant improvement in query performance.
Further information at:

This release includes a substantially reworked recursive client management system, improving hardware scalability. Prior releases showed some degradation in performance when running with more than eight processor cores.
Startup and Reconfiguration Performance Improvements

BIND 9.9 includes a fix that greatly improves startup performance on authoritative systems using large numbers of zones. The zone task table is sized based on the number of configured zones; previously it used a hard-coded size. Customers have reported speedups ranging from 3x to 20x as a result of this fix.

Slave zones are now cached in raw (binary) format instead of text format by default; this cuts load time for slave zones by roughly 50%.

'rndc reconfig' has been modified to minimze the time during which name service is interrupted.
Improved RNDC Commands

The new 'rndc flushtree' command clears the DNS cache of all names beneath a specified name.

'rndc freeze' and 'rndc thaw' no longer remove a zone's journal file; this allows 'ixfr-from-differences' to be used with dynamic zones. To sync and remove a journal file, use 'rndc sync -clean'.
General DNSSEC Improvements

The new 'rndc signing' command provides greater visibility and control of the automatic DNSSEC signing process. When a zone is being signed by named, records are inserted into the zone indicating which keys are currently in the process of signing and which have finished (this enables named to resume the process correctly if there is a crash before the zone is fully signed). With 'rndc signing' it is possible to view this status information, remove the records indicating that signing is complete.

'rndc signing' also allows configuration of the NSEC3 parameters of a zone. This can be done even before a zone is signed, enabling named to sign zones with NSEC3 without the need to use NSEC first.
General Improvements

The 'also-notify' option now takes uses the same syntax as the 'masters' option. This allows, for example, TSIG keys to be specified for use with notifies.

The new 'serial-update-method' option allows you to choose, in dynamic zones, whether changes should cause the SOA serial number to be incremented by one, or set to the current time.

Actions #8

Updated by r a over 9 years ago

Last night I built Bind 9.9.2 on io_151a7 using the following commands

$ CC=gcc --prefix=/opt/gnu --sysconfdir=/etc --enable-threads --enable-largefile --enable-ipv6 --enable-shared --disable-static
$ make
  1. make install

After moving named, dig and nslookup sideways, I then linked the named, dig and nslookup to binaries in the /opt/gnu/sbin and /opt/gnu/bin directories

Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] starting BIND 9.9.2
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] built with '--prefix=/opt/gnu' '--sysconfdir=/etc' '--enable-threads' '--enable-largefile' '--enable-ipv6' '--enable-shared' '--disable-static' 'CC=gcc'
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] ----------------------------------------------------
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] BIND 9 is maintained by Internet Systems Consortium,
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] corporation. Support and training for BIND 9 are
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] available at
Nov 15 19:45:03 ts named11872: [ID 873579 daemon.notice] ----------------------------------------------------

Actions #9

Updated by Ken Mays over 9 years ago

  • Status changed from New to Closed
  • Target version deleted (oi_151_stable)
  • % Done changed from 0 to 100

Per user request, oi-build now includes BIND 9.8.3-P2 so this ticket is resolved for that request. Please resubmit RFE for BIND >=9.9.2-P1 with the necessary information for proper packaging and deployment if DNSSEC needs are within scope of the project. See:


Also available in: Atom PDF