BIND 9.3.2 Release Notes (5900-2140, December 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

Table 5 New Command-Line Options (continued)

DescriptionOptionsBinaries/Tools

Specifies the dump zone file in canonical format-Dnamed-checkzone

Specifies named to use only the IPv4 transport even if the host system

is capable of handling IPv6 addresses

-4named

Specifies named to use only the IPv6 transport even if the host system

is capable of handling IPv4 addresses

-6named

Sets the maximum timeout value for an update request before it can

abort. The default value is 300 seconds. To disable the timeout, set

this option to 0.

-tnsupdate

Sets the UDP retry interval. The default value is 3 seconds. If this

option is set to 0, the interval is computed from the timeout interval

and the number of UDP retries.

-unsupdate

Sets the number of UDP retries. The default value is 3. If this option

is set to 0, only one update request is made.

-rnsupdate

Supports RFC 4193 (Unique local IPv6 unicast addresses)

BIND 9.3.2 (C.9.3.2.5.0) for the HP-UX 11i v3 operating system conforms to RFC 4193 (Unique

Local IPv6 Unicast Addresses). RFC 4193 defines a format for the unique local IPv6 unicast address

that is globally unique and not intended for external networks. When named receives an unique

local IPv6 unicast address for resolution, it does not send this address to the global DNS server

for resolution. Instead, it returns the NXDOMAIN response message by default. As a result, the

unique local IPv6 unicast addresses are never exposed to the outside network and are not accessible

by external systems.

Changed features

The following are the changed features in BIND 9.3.2:

• In BIND 9.3.2, named(1M) selects the best forwarder from the list of forwarders specified in

the /etc/named.conf file and sends the query to the forwader with the lowest roundtrip

time. In BIND 9.2.0, named(1M) does not select a forwarder from the /etc/named.conf

file but sequentially sends queries to all the forwarders in the /etc/named.conf file until

the query is answered.

• The following DNSSEC features are modified in BIND 9.3.2:

In BIND 9.2.0, when the dnssec-keygen command is executed twice with the

HMAC-MD5 algorithm, two different key-file pairs are generated. In BIND 9.3.2, the key

files are overwritten, resulting in one key-file pair only.

◦

◦ In the previous version of BIND, the dnssec-keygen command used the RSAMD5, DH,

DSA, RSA, or HMAC-MD5 algorithm. In BIND 9.3.2, the dnssec-keygen command

supports only RSASHA1 and DSA algorithms for DNSSEC. HMAC-MD5 and DH are also

supported, in which case a KEY record is generated instead of a DNSKEY record. The

-k option must be used to generate a KEY record.

◦ In BIND 9.3.2, the key file supplied to nsupdate using the -k option must contain a

key of the type KEY and not DNSKEY.

◦ The dnssec-signzone command creates the db.<zone>.signed file, which contains

the NSEC (corresponding to the NXT record in 9.2.0) and RRSIG (corresponding to the

SIG record in 9.2.0) records. Additionally, it creates a dsset-<zone> file that contains

the DS record and the keyset-<zone> file that contains the DNSKEY record.

Changed features 11