At 5:07 AM +0100 2004-09-25, Doug Barton wrote: > There are many differences between BIND 8 and 9. Some of the more > important ones are how picky BIND 9 is about zone file format. Some > zones that loaded fine under BIND 8 will not load with 9. The named > process is controlled with a program called rndc. The ndc binary is > no longer present. Having worked with BIND 9 since it came out, I'm very glad to see that this has finally been imported into FreeBSD! However, there are a couple more differences I'd like to highlight. First, you cannot use rndc to start BIND 9, whereas you used to be able to do this with ndc for BIND 8. The old ndc communicated with BIND 8 via Unix sockets or IP sockets, but didn't use any security in that process, and if it couldn't communicate with BIND 8, it could always start the binary locally. The concept for rndc is that it is used to manage a network of nameservers via TCP exclusively, and it does use cryptographic methods to secure that process. However, this means that it can't talk to BIND 9 until BIND 9 is already running. You will have to modify your start/stop scripts as appropriate. Second, there are tools provided with BIND 9 to make your life easier during migration. Specifically, programs called named-checkzone and named-checkconf. They will use the same library routines that BIND 9 uses when loading the zone files or the configuration file (respectively), and tell you what errors are found where. If these programs don't report any errors in your configuration file or zone files, then you are reasonably certain that they should load okay. There are a few things that can only be determined at load time by BIND 9 itself, but in terms of syntax checking, etc... you need to start with using these programs. There are some DNS debugging utilities that are also shipped with BIND. I don't know where they are put in the FreeBSD scheme of things, but in the BIND scheme, they are found under contrib/ in separate sub-directories per program. In BIND 9.3.0, there is nslint 2.1a3, which may be of some use to you. Keep in mind that DNS debugging tools don't typically work on zone files, instead they require that the nameserver already be running and the zone already be loaded, and then they do their thing as a normal DNS client -- some will actually use dig, while others may go straight to the library routines. It doesn't look like dnswalk or doc got included with the BIND 9 tarball, but they are also very useful DNS debugging tools. Note that doc is the only DNS debugging tool I know of that does not require zone transfer permission in order to do its task, whereas tools like nslint and dnswalk do require that ability. If you want to use doc with BIND 9, you should grab the latest tarball at <ftp://ftp.shub-internet.org/pub/shub/brad/dns/doc-2.2.3.tar.bz2>. Another utility that may be of some use is nanny.pl, also found in contrib/. Unfortunately, it uses "kill" to send signals to BIND 9, which may have been okay with BIND 8, but is absolutely the wrong way to do things with BIND 9 -- all control of BIND 9 should be done via rndc and not signals. Future versions of BIND 9 may remove the ability to send signals at all, and this may cause the program to crash. Get used to doing everything through rndc now. -- Brad Knowles, <brad_at_stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.Received on Sat Sep 25 2004 - 10:27:02 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:13 UTC