Consortium ISC presented the first stable release of a new branch of DNS-Server BIND 9.9.0. The new version has been a significant increase in productivity and customization tools, mainly related to the simplification of the deployment configurations DNSSEC.
Key innovations BIND 9.9.0:
Technology "Inline Signing", which allows to simplify the translation of the current infrastructure to use DNSSEC without breaking the habitual cycle support DNS.Perform operations such as the formation of digital signatures to DNS-zones and key management is now considerably simplified and does not lead to a complication or the need for changes to the current operating environment. The transition to DNSSEC can be made c using a fully automatic and transparent process for the formation of digital signatures.
To activate the formation of a clear signature in the master-zone configuration is sufficient to add the option 'inline-signing yes', without having to make changes directly in the zone file. Use this option to the slave-server lets you use even for DNSSEC zones, master-server which does not support DNSSEC. Ready-made configuration examples "Inline Signing" can be found on this page.
Significantly increased speed of execution. In the presence of a large number of start-up time zones has declined from an average of 3 to 20 times. For configurations with a large number of areas of change is more noticeable - while the server is started with 500 thousands of zones was reduced from five and a half hours to 2-3 minutes, with an increase in memory consumption by 2%. A similar effect was achieved by eliminating errors and greater use of multi-threading. The problem was caused by a wrong choice of pool size in BIND concurrent internal problems. When loading for each service area created its own internal problem, in which besides parsing the data are performed such demanding time of action, as sending a query SOA-master-server and sending a NOTIFY-notification slave-servers, resetting the disk dump zones and dynamic generation of DNSSEC- signatures. Since the default number of concurrent tasks was limited to 8, all these actions are actually carried out sequentially.
In addition, 50% of the increased processing speed slave-zones due to their caching more efficient binary format instead of text representation. Server downtime is minimized during the operation 'rndc reconfig'.
The increase in performance on multiprocessor systems. When you build with support for multithreading, and when the server starts on multi-core systems running Unix or Linux, named from now on at the same time uses multiple threads to handle incoming UDP-traffic. On some systems, this approach allows for a significant increase in query performance. In addition, thoroughly revised code control systems, and increased scalability for customer service recursive queries (previously observed dips in performance when running on systems with more than 8 cores).
Implementation of NXDOMAIN redirection mechanism which allows a client request in a situation of lack of identification of the domain, instead of displaying the answer NXDOMAIN ("no such domain") to redirect the client to the specified IP. For example, providers can direct users to host the site, analyzing the errors in the spelling of the name and offering to go to the correct address.
Improvement in work teams RNDC. Added new command 'rndc flushtree' to clear the DNS cache for all subdomains of the specified name. The teams 'rndc freeze' and 'rndc thaw' is no longer delete the file with the magazine area, which allows the use of 'ixfr-from-differences' with dynamically created zones. To synchronize and delete the log area should use the command 'rndc sync-clean'.
General improvements in DNSSEC. New command 'rndc signing' can increase the visibility and control over the process of automatic generation of signatures DNSSEC. Through the 'rndc signing' is now also possible to change the configuration parameters for the zone NSEC3.
General improvements. The option 'also-notify' now supports the same syntax as the option 'masters'. This change allows, for example, to specify keys for TSIG-notification. New option 'serial-update-method' allows you to choose how to change the number of SOA-record for dynamic zones (for example, increase by one each time or use the current time).
0 comments:
Post a Comment