 |
» |
|
|
|
|  |  |
Following are the changed features in BIND 9.3.2:
In BIND 9.3.2, named(1M) selects the best forwarder
from the list of forwarders specified in the /etc/named.conf file and sends the query to the forwader with the lowest roundtrip
time. In BIND 9.2.0, named(1M) does not select a forwarder
from the /etc/named.conf file but sequentially
sends queries to all the forwarders in the /etc/named.conf file until the query is answered.
The following DNSSEC features are modified in BIND 9.3.2:
In BIND 9.2.0, when the dnssec-keygen command is executed twice with the HMAC-MD5 algorithm, two different
key-file pairs are generated. In BIND 9.3.2, the key files are overwritten,
resulting in one key-file pair only.
In the previous version of BIND, the dnssec-keygen command used the RSAMD5, DH, DSA,
RSA, or HMAC-MD5 algorithm. In BIND 9.3.2, the dnssec-keygen command supports only RSASHA1 and DSA algorithms for DNSSEC. HMAC-MD5
and DH are also supported, in which case a KEY record is generated instead of a DNSKEY record.
The -k option must be used to generate
a KEY record.
In BIND 9.3.2, the key file supplied to nsupdate using the -k option
must contain a key of the type KEY and not DNSKEY.
The dnssec-signzone command creates the db.<zone>.signed
file, which contains the NSEC (corresponding to the NXT record in 9.2.0) and RRSIG (corresponding
to the SIG record in 9.2.0) records.
Additionally, it creates a dsset-<zone> file that contains the DS record and
the keyset-<zone> file that contains the DNSKEY record.
The following dig features are modified in BIND 9.3.2:
The -i option in
the dig command must be used for IP6.INT IPv6 reverse lookups. By default, dig
performs IP6.ARPA reverse IPv6 lookups.
The output of the dig name command for Not Implemented is changed from NOTIMPL
to NOTIMP.
Table 1-6 lists
the changed command-line options for the dnssec-signzone tool in BIND 9.3.2.
Table 1-6 New Command-Line Options
Binaries/Tools |
Old Option |
New Option |
Changed Functionality |
dnssec-signzone |
-c cycle-time |
-c class |
Specifies the DNS class of the zone |
dnssec-signzone |
-n ncpus |
-n threads |
No change in the functionality for this option |
|