What is new in BIND 9.11?

© Men & Mice http://menandmice.com
BIND 9.11
1

© Men & Mice http://menandmice.com  
© ISC http://www.isc.org
BIND 9.11
• Catalog Zones
• new rndc functions
• dnssec-keymgr
• CDS/CDNSKEY auto generation
• Negative Trust Anchor
• DNS cookies
• Minimal “any”
2

BIND 9.11 License change
•BIND 9.11 is now licensed under the Mozilla Public License
(MPL) 
https://en.wikipedia.org/wiki/Mozilla_Public_License
•previous versions of BIND 9 are licensed under ISC License (a variation
of the BSD License) 
https://en.wikipedia.org/wiki/ISC_license
•both licenses are "Open-Source" licenses
•this change does have no impact on users of BIND 9
(including users of the Men & Mice Suite)
•it has an impact of companies that include an adapted version
of BIND 9 into their product offerings
3

BIND 9 catalog zones
4

Catalog Zones
•catalog zones are a way to provision DNS zones
•catalog zones are an internet draft (RFC "work in
progress) in the IETF  
https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones
•a "proof-of-concept" implementation for PowerDNS
exists
5

Catalog Zones
•a catalog zone works like a normal DNS zone
•it contains the names and configuration metadata of
zones that should exist on a secondary server
•the catalog zone is maintained on the master server
• new zones added into the catalog zone on the
master are also created on the secondaries
receiving the same catalog zone
6

7
Server with
Master
zones
Server with
Slave
zones

8
Catalog Zone
(master)
empty
Server with
Master
zones
Server with
Slave
zones

9
Catalog Zone
(master)
empty
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
empty

10
Catalog Zone
(master)
empty
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
empty
Production Zone
(master)
example.com

11
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
empty
Production Zone
(master)
example.com
new production
zone added to the
catalog zone

12
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
example.com
Production Zone
(master)
example.com
zone
transfer

13
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
example.com
Production Zone
(master)
example.com
production
slave zone
configuration is
added by
BIND
Production Zone
(slave)
example.com

14
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
example.com
Production Zone
(master)
example.com
zone
transfer
Production Zone
(slave)
example.com

Catalog Zones
•empty catalog zone
$TTl 60 
@ IN SOA authoritative.example.com. hostmaster ( 
1001 2h 20m 41d 1h ) 
IN NS authoritative.example.com. 
IN NS secondary01.example.com.
15
names should be
resolvable via DNS for
notify to work

Catalog Zones
•BIND 9 named.conf with catalog zone on the master server
options { 
directory "/etc/namedb"; 
recursion no; 
};
logging {
channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; 
category xfer-in { transfer-log; }; 
category xfer-out { transfer-log; }; 
};
zone "catalog.example" { 
type master; 
file "catalog.example"; 
};
16

Catalog Zones
•start BIND 9 on the master
# named-checkconf -z 
zone catalog.example/IN: loaded serial 1001
# named
# rndc status 
version: BIND 9.11.0b3 <id:a23f742> 
running on csmobile4.example.com: Linux x86_64 4.6.5-300.fc24.x86_64 #1 SMP Thu Jul 28 01:10:12 UTC 2016 
boot time: Tue, 16 Aug 2016 07:29:05 GMT 
last configured: Tue, 16 Aug 2016 07:30:49 GMT 
configuration file: /etc/named.conf 
CPUs found: 4 
worker threads: 4 
UDP listeners per interface: 3 
number of zones: 2 (0 automatic) 
debug level: 0 
xfers running: 0 
xfers deferred: 0 
soa queries in progress: 0 
query logging is OFF 
recursive clients: 0/900/1000 
tcp clients: 0/150 
server is up and running
17

Catalog Zones
• BIND 9 configuration on the secondary
options { 
recursion no; 
 
allow-new-zones yes; 
catalog-zones { 
zone "catalog.example" 
zone-directory "cat-zones" 
in-memory no 
default-masters { 172.22.1.196; }; 
}; 
};
logging { 
}; 
 
type slave; 
masters { 172.22.1.196; }; 
};
18
allow
BIND 9 to
dynamically add
new zones
definition of
the catalog zone
directory for
storing new
slave zones
IP addresses of
the default
masters for new
slave zones
write slave
zone contents to
disk
catalog
zone definition

Catalog Zones
• adding the new zone to the BIND 9 server (Step 1)
# $EDITOR /etc/namedb/example.com
$ttl 1800 
@ IN SOA authoritative.example.com. hostmaster 1001 2h 30m 41d 1h 
authoritative IN A 172.22.1.196 
secondary01 IN A 172.22.1.199
19

Catalog Zones
# $EDITOR /etc/namedb/named.conf
options { 
recursion no; 
};
logging { 
}; 
 
zone "example.com" { 
type master; 
file "example.com"; 
}; 
 
type master; 
};
20
new zone
configuration

Catalog Zones
# named-checkconf -z 
zone example.com/IN: loaded serial 1001 
zone catalog.example/IN: loaded serial 1001
21

Catalog Zones
• adding the new zone to the catalog zone
 
# echo -n "example.com" | openssl sha1 
(stdin)= 0caaf24ab1a0c33440c06afe99df986365b0781f 
# $EDITOR /etc/namedb/catalog.example 
$TTl 60 
@ IN SOA authoritative.example.com. hostmaster 1002 ( 
2h 20m 41d 1h ) 
IN NS secondary01.example.com. 
0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.
22
sha1 hash
identifying the
new zone
mapping
the hash to the
name of the
zone
increment
SOA serial
number

Catalog Zones
• BIND 9 log information shows the update of the
catalog zone followed by an transfer of the new zone:
named[157]: client 172.22.1.196#60914: received notify for zone 'catalog.example' 
named[157]: zone catalog.example/IN: notify from 172.22.1.196#60914: serial 1002 
named[157]: zone catalog.example/IN: Transfer started. 
named[157]: catz: updating catalog zone 'catalog.example' with serial 1002 
named[157]: zone catalog.example/IN: transferred serial 1002 
named[157]: zone catalog.example/IN: sending notifies (serial 1002) 
named[157]: catz: adding zone 'example.com' from catalog 'catalog.example' - success 
named[157]: zone example.com/IN: Transfer started. 
named[157]: zone example.com/IN: transferred serial 1001 
named[157]: zone example.com/IN: sending notifies (serial 1001)
23
new
zone is now
available on the
secondary

Catalog Zones
• catalog zones can contain configuration information
for the new zone (Details in the BIND 9 ARM):
$TTl 60 
@ IN SOA authoritative.catalog.example. hostmaster 1002 2h 20m 41d 1h 
0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com. 
masters.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN A 172.22.1.196 
allow-transfer.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN APL ( 
1:172.22.1.196/32 1:172.22.1.199/32 )
24
access
control list for
zone-transfer
definition
of the zones
master
server(s)

Catalog Zones
• rndc zonestatus on a zone added via catalog zone:
# rndc zonestatus example.com 
name: example.com 
type: slave 
files: cat-zones/__catz___default_catalog.example_example.com.db 
serial: 1001 
nodes: 3 
last loaded: Thu, 18 Aug 2016 07:29:58 GMT 
next refresh: Thu, 18 Aug 2016 07:52:54 GMT 
expires: Mon, 26 Sep 2016 07:54:36 GMT 
secure: no 
dynamic: no 
reconfigurable via modzone: yes
25
zone expiry
information for
slave zones
backup file

rndc  
Remote Name Daemon
Control
26

read-only rndc
•a rndc control channel can be configured "read-only"
•all "destructive" rndc commands are blocked ("reload", "reconfigure", "stop",
"addzone", "delzone" etc)
•multiple control channels can be configured
•each should have a unique "tsig" key for authentication 
 
key "rndc-key" { 
algorithm hmac-md5; 
secret "ikRtqFL52Inn+7wCE0Bb9A=="; 
}; 
 
controls { 
inet 127.0.0.1 port 953 
allow { 127.0.0.1; } 
keys { "rndc-key"; } 
read-only yes; 
};
27

Zone provisioning with rndc
•in previous BIND 9 versions, it is possible to dynamically
add/remove zones to a running configuration with rndc
addzone and rndc delzone
•Zone configurations added with rndc addzone can now
be changed dynamically with rndc modzone
•rndc delzone can now also remove zones that are
configured in named.conf 
# rndc delzone example.com 
zone 'example.com' is no longer active and will be deleted. 
To keep it from returning when the server is restarted, it 
must also be removed from named.conf.
28

rndc zonestatus
•rndc can now display detail information about a
configured zone 
 
# rndc zonestatus example.com 
name: example.com 
type: master 
files: example.com 
serial: 1001 
nodes: 3 
last loaded: Thu, 18 Aug 2016 07:25:06 GMT 
secure: no 
dynamic: no 
reconfigurable via modzone: no
29

python rndc
•BIND 9.11 contains a python library to access the
rndc control channel from within python programs
•python written applications can make use of rndc functions
(addzone, manage keys, sign zones etc)
30

DNSSEC
31

dnssec-keymgr
•dnssec-keymgr is a new tool written in Python to
manage DNSSEC keys (and the key-rollover)
•the tool will read a policy file (${SYSCONFDIR}/policy.conf)
and will create new ZSK/KSK based on the defined
policies
•Policies can be defined global, per algorithm and per
zone
•Policies can inherit settings from a global policy definition
32

dnssec-keymgr
•dnssec-keymgr example policy configuration 
 
policy default-dnssec { 
directory "/etc/namedb/keys"; 
algorithm rsasha256; 
key-size zsk 2048; 
key-size ksk 2560; 
pre-publish zsk 1w; 
post-publish zsk 2w; 
roll-period zsk 2mo; 
roll-period ksk 0; 
coverage 364d; 
}; 
 
zone example.com { 
policy default-dnssec; 
key-size zsk 1536; 
};
33
inherit the "default-
dnssec" policy for the
zone
override a
setting inherited
from the global
policy
global policy
definition

dnssec-keymgr
•dnssec-keymgr is designed to be run from a cron-job
•it can be started manually: 
 
# dnssec-keymgr example.com 
# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -a RSASHA256 -b 1536 example.com 
# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -fk -a RSASHA256 -b 2560 example.com 
# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161017081131 -D 20161031081131 Kexample.com.+008+16143 
# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+16143 -L 3600 -i 604800 
# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+47265 -L 3600 -i 604800
34

rndc managed-keys
•rndc can now be used to get information about the configured
DNSSEC trust-anchor(s)
•useful to track the automatic trust anchor update (RFC 5011) for the upcoming
KSK change in the root zone 
https://www.icann.org/resources/pages/ksk-rollover
•Example: 
# rndc managed-keys status 
view: _default 
next scheduled event: Fri, 19 Aug 2016 08:30:56 GMT 
 
name: . 
keyid: 19036 
algorithm: RSASHA256 
flags: SEP 
next refresh: Fri, 19 Aug 2016 08:30:56 GMT 
trusted since: Thu, 18 Aug 2016 08:30:53 GMT
35

DNSSEC trust-anchor telemetry
BIND 9 configured as a DNSSEC validating resolver will send specially-
formed queries once per day to domains for which trust anchors have
been configured via trusted-keys, managed-keys, dnssec-validation
auto, or dnssec-lookaside auto
• The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>,
where each "xxxx" is a group of four hexadecimal digits representing the key ID of a
trusted DNSSEC key
• this gives operators of trusted DNSSEC domains feedback on which active trust-
anchors are used for the domains they host
• this helps operators to decide when an old key can be removed from the DNSSEC
zone
• trust-anchor-telemetry no; will disable this function 
36

Automating DNSSEC Delegation Trust
Maintenance (RFC 7344)
BIND 9.11 supports the CDS and CDNSKEY
resource records
BIND 9.11 can publish new DS via CDS, or new
DNSKEY via CDNSKEY, whenever a new KSK is
being created
parent zone operator can monitor the child 
zone and imports new DS and DNSKEY  
data from the CDS or CDNSKEY records
37

Maintenance
38
Parent DNS
Child DNS
child.tld. IN SOA …
child.tld. IN NS …
child.tld. IN DNSKEY …
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …

Maintenance
39
Parent DNS
Child DNS
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
child.tld. IN DS …
Updating DNSSEC Trust chain today

Maintenance
40
Parent DNS
Child DNS
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
child.tld. IN CDS …
Updating DNSSEC Trust chain  
with CDS / CDNSKEY

Maintenance (RFC 7344)
dnssec-keygen and dnssec-settime now support additional
timing information SYNC Publish (when to publish CDS/
CDNSKEY) and SYNC Delete (when to remove CDS/CDNSKEY) 
 
# dnssec-settime -Psync +3mo /etc/namedb/keys/Kexample.com.+008+58464.key 
# dnssec-settime -p all /etc/namedb/keys/Kexample.com.+008+58464.key
Created: Thu Aug 18 10:11:31 2016 
Publish: Fri Dec 9 09:11:31 2016 
Activate: Fri Dec 16 09:11:31 2016 
Revoke: UNSET 
Inactive: Tue Feb 14 09:11:31 2017 
Delete: Tue Feb 28 09:11:31 2017 
SYNC Publish: Wed Nov 16 09:47:45 2016 
SYNC Delete: UNSET
41

DNSSEC negative trust anchors
negative trust anchors (nta) disable DNSSEC validation for a
specific domain for a certain amount of time
• can be used by operators in case a misconfiguration for a remote
DNSSEC signed zone is detected. Care should be take to check that the
DNSSEC validation failure is indeed a misconfiguration and not attack
• domains with an NTA are processed as if there is no trust-anchor for
that domain
• NTAs are stored and are persistent across BIND 9 restarts
• BIND 9 checks the domain periodically. Once the domain starts
validating again, the NTA for the domain is removed
• NTAs have a lifetime (maximum one week) and expire automatically
42

adding an NTA (for 60 seconds): 
 
# rndc nta -l 60 fail01.dnssec.works
Negative trust anchor added: fail01.dnssec.works/_default,
expires 18-Aug-2016 13:52:19.000
# rndc nta -dump 
fail01.dnssec.works: expired 18-Aug-2016 13:52:19.000
# ls -l /etc/namedb/_default.nta 
-rw-r--r--. 1 root root 44 Aug 18 13:51 /etc/namedb/_default.nta
# cat /etc/namedb/_default.nta 
fail01.dnssec.works. regular 20160818115219
43

removing an NTA: 
 
# rndc nta -l 86400 fail02.dnssec.works 
Negative trust anchor added: fail02.dnssec.works/_default,
expires 19-Aug-2016 13:56:22.000
# rndc nta -dump 
fail02.dnssec.works: expiry 19-Aug-2016 13:56:22.000
# rndc nta -r fail02.dnssec.works 
Negative trust anchor removed: fail02.dnssec.works/_default
# rndc nta -dump 
#
44
NTA for one
day
NTA removed

DNS Cookies
45

DNS Cookies
DNS Cookies, defined in RFC 7873, create a
lightweight session over UDP between a DNS client
(can be a DNS resolver) and DNS server
DNS cookies
• can mitigate cache poisoning attacks
• make DNS amplification attacks harder
46

47
DNS cookie
secret configured
BIND 9.11
DNS Resolver

48
DNS query 
Client Cookie Hash: a56f341 
Server Cookie Hash: empty
BIND 9.11
DNS Resolver

49
DNS query 
Server Cookie Hash: empty
BIND 9.11
DNS Resolver
Error
Response:
BADCOOKIE
includes  
Server Cookie Hash
b761a22
Client can
cache server
cookie

50
DNS query 
Server Cookie Hash: b761a22
BIND 9.11
DNS Resolver

51
DNS query 
Server Cookie Hash: b761a22
BIND 9.11
DNS Resolver
NOERROR
Response 
includes  
Server Cookie Hash
b761a22

DNS Cookies
DNS cookies are enabled in BIND 9.11 by default (including the dig tool) 
 
# dig @localhost menandmice.com 
 
; <<>> DiG 9.11.0b3 <<>> @localhost menandmice.com 
; (2 servers found) 
;; global options: +cmd 
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6448 
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 7 
 
;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags:; udp: 4096 
; COOKIE: d22bde1a43ccf88213b35b4257b59343163def237257e622 (good) 
;; QUESTION SECTION: 
;menandmice.com. IN A 
 
;; ANSWER SECTION: 
menandmice.com. 300 IN A 72.10.32.220
52
DNS
cookie

DNS Cookies
Configuration options for DNS cookies in BIND 9.11:
• require-server-cookie - (authoritative server or resolver)
Require a valid server cookie before sending a full response
to a UDP request from a cookie aware client. BADCOOKIE
is sent if there is a bad or no existent server cookie.
• send-cookie - (resolver) If yes, then a COOKIE EDNS
option is sent along with the query. If the resolver has
previously talked to the server, the COOKIE returned in the
previous transaction is sent.
53

DNS Cookies
Configuration options for DNS cookies in BIND 9.11:
• nocookie-udp-size - (authoritative or resolver)  
Sets the maximum size of UDP responses that will be sent to
queries without a valid server COOKIE.
• cookie-algorithm - (authoritative or resolver)  
Set the algorithm to be used when generating the server cookie.
One of "aes", "sha1" or "sha256".
• cookie-secret - (authoritative or resolver)  
If set, this is a shared secret used for generating and verifying
DNS cookies within an anycast cluster. If not set, the system will
generate a random secret at startup.
54

Misc
55

new resource record types
BIND 9 now supports the following resource record types:
• OPENPGPKEY - stores PGP public keys for email-addresses
• AVC - stores metadata about applications (Cisco DNS-AS - "DNS Authoritative
Source")
• TA - DNSSEC Trust Authorities
• TALINK - used by applications that maintain trust anchors for DNS validators
• NINFO - a mechanism in the DNS to publish descriptive information about the
status of the zone
• RKEY - publishing arbitrary application keys that could be used to encrypt DNS
resource records
• SINK - Kitchen Sink Resource Record  
(https://tools.ietf.org/html/draft-eastlake-kitchen-sink)
56

Minimal ANY
•a BIND 9 server getting an query with type ANY
(QTYPE 255) will answer with all records matching
the requested domain name and class
•this can create large UDP DNS answer packets
;menandmice.com. IN ANY 
 
menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900 
menandmice.com. 3600 IN TXT "HhnTdT3K" 
menandmice.com. 3600 IN TXT "MS=ms81797768" 
menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com
a:imap2.skyrr.is a:mx.hysing.is ~all" 
ns2.c.is. 84985 IN A 213.176.143.102 
dns1.menandmice.com. 171385 IN A 217.151.171.7 
[…] 
;; Query time: 97 msec 
;; SERVER: 127.0.0.1#53(127.0.0.1) 
;; WHEN: Mon Aug 15 10:49:15 CEST 2016 
;; MSG SIZE rcvd: 719
57
DNS
answer
size

Minimal ANY
•starting with BIND 9.11, BIND 9 can be configured
to only return the first entry of an matching ANY
query
•this mitigates the problem without causing (too
much) breakage of older software (qmail etc)
options { 
minimal-any yes; 
};
58

Minimal ANY
•same query as before with minimal-any enabled:
# dig menandmice.com any
; <<>> DiG 9.11.0b3 <<>> menandmice.com any 
;; Got answer: 
;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags:; udp: 4096 
; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good) 
;menandmice.com. IN ANY 
menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300
604800 900 
;; Query time: 0 msec 
;; SERVER: 127.0.0.1#53(127.0.0.1) 
;; WHEN: Mon Aug 15 10:55:22 CEST 2016 
;; MSG SIZE rcvd: 123
59
DNS answer size
123 < 719 Byte

adaptive preferred glue
BIND 9.11 now fills the additional section with glue
records matching the transport protocol the query
was received
• query received over IPv4 - A-Record glue data is preferred
• query received over IPv6 - AAAA-Record glue data is
preferred
60

nslookup resolves IPv6 AAAA
nslookup got updated (WHOOO!)
nslookup will now lookup IPv4 and IPv6 information for a
hostname
# nslookup 
> menandmice.com 
Server: 172.22.1.22 
Address: 172.22.1.22#53 
 
Non-authoritative answer: 
Name: menandmice.com 
Address: 72.10.32.220 
Name: menandmice.com 
Address: 2a01:7e00::f03c:91ff:fe89:ed54
61

SERVFAIL Caching
DNS answers with the return code of SERVFAIL are
now cached (Default 1 sec)
This reduces the frequency of retries when a query is
persistently failing, which can be a burden on
recursive servers
Cache-Time for SERVFAIL answers can be configured
with the servfail-ttl statement, maximum is 30
seconds
62

new mdig query tool
the new tool mdig (multi-dig) can be used to send
multiple queries at once to an DNS server
answers will be printed in order of arrival
63

new mdig query tool
# mdig @8.8.8.8 menandmice.com www.menandmice.com info.menandmice.com 
;; Got answer: 
 
;www.menandmice.com. IN A 
 
www.menandmice.com. 4m59s IN A 72.10.32.220 
 
;; Got answer: 
 
;menandmice.com. IN A 
 
menandmice.com. 4m59s IN A 72.10.32.220 
 
;; Got answer: 
 
;info.menandmice.com. IN A 
 
info.menandmice.com. 4m59s IN CNAME 77026.group26.sites.hubspot.net. 
77026.group26.sites.hubspot.net. 29m59s IN CNAME cos2mdc.hubspot.net.mdc.edgesuite.net. 
cos2mdc.hubspot.net.mdc.edgesuite.net. 5h57m44s IN CNAME a1711.b.akamai.net. 
a1711.b.akamai.net. 19s IN A 95.101.90.26 
a1711.b.akamai.net. 19s IN A 95.101.90.82
64
three queries
Answer for #2
Answer for #1
Answer for #3

dig switches
dig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours,
minutes, and seconds: 
 
# dig +ttlunits menandmice.com 
 
; <<>> DiG 9.11.0b3 <<>> +ttlunits menandmice.com 
;; Got answer: 
[…] 
 
menandmice.com. 4m54s IN A 72.10.32.220
 
;; AUTHORITY SECTION: 
menandmice.com. 20h52m59s IN NS ns2.c.is. 
menandmice.com. 20h52m59s IN NS dns1.menandmice.com. 
 
;; ADDITIONAL SECTION: 
dns1.menandmice.com. 21h9m22s IN A 217.151.171.7 
dns2.menandmice.com. 20h52m59s IN A 217.151.171.21 
dns3.menandmice.com. 1h29m39s IN A 45.79.153.125
65

multiple named processes
BIND 9.11 prevents the named process to start
accidentally more than once
named refuses to start if
• it cannot bind to any network interface
• if the Lock-File /var/run/named/named.lock already exists
66

multiple named processes
# named -g 
18-Aug-2016 13:31:16.929 starting BIND 9.11.0b3 <id:a23f742> 
18-Aug-2016 13:31:16.929 running on Linux x86_64 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 
18-Aug-2016 13:31:16.929 built with '--sysconfdir=/etc/namedb' 
18-Aug-2016 13:31:16.929 running as: named -g 
18-Aug-2016 13:31:16.929 ---------------------------------------------------- 
18-Aug-2016 13:31:16.929 BIND 9 is maintained by Internet Systems Consortium, 
18-Aug-2016 13:31:16.929 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
18-Aug-2016 13:31:16.929 corporation. Support and training for BIND 9 are 
18-Aug-2016 13:31:16.929 available at https://www.isc.org/support 
18-Aug-2016 13:31:16.929 ---------------------------------------------------- 
18-Aug-2016 13:31:16.929 adjusted limit on open files from 65536 to 1048576 
18-Aug-2016 13:31:16.929 found 4 CPUs, using 4 worker threads 
18-Aug-2016 13:31:16.929 using 3 UDP listeners per interface 
18-Aug-2016 13:31:16.929 using up to 4096 sockets 
18-Aug-2016 13:31:16.938 loading configuration from '/etc/namedb/named.conf' 
18-Aug-2016 13:31:16.939 reading built-in trusted keys from file '/etc/namedb/bind.keys' 
18-Aug-2016 13:31:16.939 using default UDP/IPv4 port range: [32768, 60999] 
18-Aug-2016 13:31:16.939 using default UDP/IPv6 port range: [32768, 60999] 
18-Aug-2016 13:31:16.941 listening on IPv6 interfaces, port 53 
18-Aug-2016 13:31:16.948 binding TCP socket: address in use 
18-Aug-2016 13:31:16.948 listening on IPv4 interface lo, 127.0.0.1#53 
18-Aug-2016 13:31:16.949 listening on IPv4 interface mv-p3p1, 172.22.1.129#53 
18-Aug-2016 13:31:16.950 unable to listen on any configured interfaces 
18-Aug-2016 13:31:16.950 loading configuration: failure 
18-Aug-2016 13:31:16.950 exiting (due to fatal error)
67

more changes
The BIND 9.11 change log file has additional
information on all the changes
http://ftp.isc.org/isc/bind9/9.11.0b3/RELEASE-NOTES-bind-9.11.0b3.txt
68

Upcoming training classes
KEA-DHCP
October 13 – 14, 2016 - West Coast, USA
October 17 – 18, 2016 - East Coast, USA
November 21 – 22, 2016 - Amsterdam, The Netherlands
Two days - Hands-On training
US$ 1795
69
https://www.menandmice.com/support-training/training/kea-dhcp-training/

more training
•October 3 – 5, 2016 Introduction to DNS & BIND
Hands-On class Arlington (VA), USA
•October 3 – 7, 2016 Introduction & Advanced DNS
and BIND Topics Hands-on class Arlington (VA), USA
•October 5 – 7, 2016 DNSSEC Technical Workshop –
Implementation and Deployment Arlington (VA), USA
•October 10-14, 2014 "DNS und BIND / DNS
Sicherheit" (German) @ Linuxhotel, Essen, Germany
70
https://www.menandmice.com/support-training/training/

our next webinar  
A secure BIND 9 – best practices
When operating a DNS server, a secure configuration is
paramount. BIND 9 experts from the Men & Mice team will
answer questions about BIND 9 security.
Learn more on:
• “chroot” vs. “container”
• separating resolving and authoritative services for security
• BIND 9 configuration hardening
• monitoring BIND 9 for security issues
August 31st, 2016 4:00pm CEST/ 2:00pm GMT/ 10:00am EDT/ 7:00am PDT
71
https://www.menandmice.com/resources/educational-resources/webinars/a-secure-bind-9-best-practices/

What is new in BIND 9.11?

More Related Content

What's hot

Viewers also liked

Similar to What is new in BIND 9.11?

More from Men and Mice

Recently uploaded

What is new in BIND 9.11?