# ISC Knowledgebase > Knowledge base documentation for ISC Knowledgebase. ## v1 - [Using This Knowledgebase](https://kb.isc.org/docs/using-this-knowledgebase.md): This site is intended to provide answers to users' questions about ISC's BIND 9, Kea DHCP, Stork, and ISC DHCP software. - [ISC's Software Support Policy and Version Numbering](https://kb.isc.org/docs/aa-00896.md): Software Support Policy and Version Numbering for BIND 9, Kea DHCP, and Stork open source. - [BIND 9, ISC DHCP, Kea, and Stork source code access](https://kb.isc.org/docs/aa-01037.md): ISC source code is available online for use by developers and contributors. Public releases are always available from the downloads page on the ISC website (https://www.isc.org/download/) and https://downloads.isc.org/isc. No password is required. - [ISC Software Defect and Vulnerability Disclosure Policy](https://kb.isc.org/docs/aa-00861.md): ISC's Software Defect and Security Vulnerability Disclosure Policy for BIND 9, ISC DHCP, and Kea DHCP - [ISC CVSS Scoring Guidelines](https://kb.isc.org/docs/isc-cvss-scoring-guidelines.md): ISC CVSS Scoring Guidelines for BIND 9 - [How to Report or Inquire About Potential Software Vulnerabilities](https://kb.isc.org/docs/aa-01020.md): Information on how to report a security defect in BIND 9, Kea DHCP, Stork, or ISC DHCP - [Contributing to ISC's Open Source](https://kb.isc.org/docs/contributing-to-iscs-open-source.md): How to contribute to ISC's open source software - [General Best Practices for Servers](https://kb.isc.org/docs/server-best-practices.md): Operators should implement general best practices for the servers hosting their critical infrastructure; software is only as good as its platform. - [What to do if your BIND, Kea DHCP, Stork, or ISC DHCP server has crashed](https://kb.isc.org/docs/aa-00340.md): Files and information to collect when sending a crash report to ISC - [How to apply a patch diff to ISC source code](https://kb.isc.org/docs/how-to-apply-a-patch-diff-to-isc-source-code.md): Sometimes when a user has a problem with ISC-supplied software, our development team, as part of the process of providing and testing a fix for the problem, may offer a patch diff containing custom modifications to be applied to a specific version of BIND or Kea. Such a diff may contain a proposed fix for a bug, or might add instrumentation and logging instructions to help track down a difficult-to-diagnose problem that a server operator is experiencing. - [Verifying the Integrity of ISC Downloads using PGP / GPG](https://kb.isc.org/docs/aa-01225.md): You can verify the integrity of any software downloaded from ISC via PGP or GPG. - [Essential UNIX Commands for BIND, ISC DHCP, and Kea DHCP Administrators](https://kb.isc.org/docs/essential-unix-commands-for-bind-isc-dhcp-and-kea-dhcp-administrators.md): Essential UNIX commands for BIND, ISC DHCP, and Kea DHCP administrators. - [Debugging Tools](https://kb.isc.org/docs/debug.md): This document provides a quick reference to some commands that can be used to examine the internal state of a running program. It is not a comprehensive treatment of debugging, or even the commands involved. The goal is to make it easier to get in situ details in a form that can be easily sent to experts for review. - [ISC Support Subscriber News Q1 2026](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2026.md): News about BIND, Kea, and Stork software for ISC's support subscribers - [ISC Support Subscriber News Q4 2025](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2025.md): News about BIND, Kea, and Stork software for ISC's support subscribers - [ISC Support Subscriber News Q3 2025](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2025.md): News about BIND, Kea, and Stork software for ISC's support subscribers - [ISC Support Subscriber News Q2 2025](https://kb.isc.org/docs/isc-support-subscriber-news-q2-2025.md): News about BIND, Kea, and Stork software for ISC's support subscribers - [ISC Support Subscriber News Q1 2025](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2025.md): News about BIND, Kea, and Stork software for ISC's support subscribers - [ISC Support Subscriber News Q4 2024](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2024.md): News about BIND, Kea, and Stork software for ISC's support subscribers - [ISC Support Subscriber News Q3 2024](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2024.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News Q2 2024](https://kb.isc.org/docs/isc-support-subscriber-news-q2-2024.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News Q1 2024](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2024.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News Q4 2023](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2023.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News Q3 2023](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2023.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News Q2 2023](https://kb.isc.org/docs/isc-support-subscriber-news-q2-2023.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News Q1 2023](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2023.md): News about BIND and Kea software for ISC's support subscribers - [ISC Support Subscriber News, Q4, 2022](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2022.md): ISC's customer newsletter, Q4 2022 - [ISC Support Subscriber News, Q3, 2022](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2022.md): ISC's customer newsletter, Q3 2022 - [ISC Support Subscriber News, Q2, 2022](https://kb.isc.org/docs/isc-support-subscriber-news-q2-2022.md): ISC's customer newsletter, Q2 2022 - [ISC Support Subscriber News, Q1, 2022](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2022.md): ISC's customer newsletter, Q1 2022 - [ISC Support Subscriber News, Q4, 2021](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2021.md): ISC's customer newsletter, Q4 2021 - [ISC Support Subscriber News, Q3 2021](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2021.md): ISC's customer newsletter, Q3 2021 - [ISC Support Subscriber News, Q2 2021](https://kb.isc.org/docs/isc-support-subscriber-news-q2-2021.md): ISC's customer newsletter, Q2 2021 - [ISC Support Subscriber News, Q1 2021](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2021.md): ISC's customer newsletter, Q1 2021 - [ISC Support Subscriber News, Q4 2020](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2020.md): ISC's customer newsletter, Q4 2020 - [ISC Support Subscriber News, Q3 2020](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2020.md): ISC's customer newsletter, Q3 2020 - [ISC Support Subscriber News, Q2 2020](https://kb.isc.org/docs/isc-support-subscriber-news-q2-2020.md): ISC's customer newsletter, Q2 2020 - [ISC Support Subscriber News, Q1 2020](https://kb.isc.org/docs/isc-support-subscriber-news-q1-2020.md): ISC's customer newsletter, Q1 2020 - [ISC Support Subscriber News, Q4 2019](https://kb.isc.org/docs/isc-support-subscriber-news-q4-2019.md): ISC's customer newsletter, Q4 2019 - [ISC Support Subscriber News, Q3 2019](https://kb.isc.org/docs/isc-support-subscriber-news-q3-2019.md): ISC's customer newsletter, Q3 2019 - [DNSSEC signing with an offline KSK](https://kb.isc.org/docs/dnssec-signing-with-an-offline-ksk.md): This article describes how to configure and operate BIND 9 with an offline KSK. It is assumed that the reader has a general understanding of DNSSEC. - [ISC Packages for BIND 9](https://kb.isc.org/docs/isc-packages-for-bind-9.md): ISC provides binary packages for currently supported versions of many popular operating systems. - [Supported Platforms](https://kb.isc.org/docs/supported-platforms.md): This table lists the platforms on which BIND 9 is regularly tested, supported with best effort, community maintained, or unsupported. - [BIND 9 Significant Features Matrix](https://kb.isc.org/docs/aa-01310.md): BIND 9 Significant Features Matrix - [Policy for removing named.conf options](https://kb.isc.org/docs/policy-for-removing-namedconf-options.md): Maintaining unnecessary options increases the number of corner cases and thus the complexity of development, testing and validation. It can also confuse new users. We have established an orderly, staged process that gives existing users ample time to react and adapt to obsoleted options. - [BIND 9's Support Model](https://kb.isc.org/docs/aa-00577.md): Support for BIND 9 open source software - [Load balancing and DNS](https://kb.isc.org/docs/load-balancing-and-dns.md): Load balancing of DNS traffic, or using DNS to load balance other Internet traffic. - [Exempting broken domains in recursion](https://kb.isc.org/docs/exempting-broken-domains.md): When BIND is used as a recursive resolver, a domain name may fail to resolve under some configurations, but not others. Resolver operators who wish to exempt individual zones from the resolver’s configuration and query with a configuration which can resolve the domain name may use the multi-view configuration described in this article. - [Testing EDNS Compatibility with dig](https://kb.isc.org/docs/edns-compatibility-dig-queries.md): The ednscomp.isc.org site uses a modified version of DiG to run multiple tests in series. - [What happens when a remote server doesn't understand EDNS0?](https://kb.isc.org/docs/aa-00510.md): What are the situations (timeouts, FORMERR .. etc) that mark a server as unable to speak EDNS0? What happens afterwards? - [Considerations when choosing and configuring load balancers](https://kb.isc.org/docs/aa-00435.md): Two key points: the load balancer mustn't become a source of resource issues, and it must ensure that it responds properly according to DNS protocol. - [What is DNS Cache snooping?](https://kb.isc.org/docs/aa-00509.md): DNS cache snooping is a technique that can be employed for different purposes by those seeking to benefit from knowledge of what queries have been made of a recursive DNS server by its clients. - [Classless in-addr.arpa subnet delegation](https://kb.isc.org/docs/aa-01589.md): This article is a worked example of one of the simpler cases of classless in-addr.arpa subnet delegation, as described in RFC2317 (BCP 20): https://tools.ietf.org/html/rfc2317. - [Refinements to EDNS fallback behavior can cause different outcomes in Recursive Servers](https://kb.isc.org/docs/aa-01219.md): When operating recursively, BIND 9 has a 'fallback' process that it uses to test the capabilities of remote authoritative servers that it queries. - [What is a DNS Amplification Attack?](https://kb.isc.org/docs/aa-00897.md): A DNS Amplification Attack is a Distributed Denial of Service (DDOS) tactic that belongs to the class of reflection attacks -- attacks in which an attacker delivers traffic to the victim of their attack by reflecting it off of a third party so that the origin of the attack is concealed from the victim. - [Nameserver Basics: What is an Authoritative Server? What is a Recursive Server?](https://kb.isc.org/docs/aa-00817.md): Nameserver functionality can be divided into two main categories: authoritative service and recursive service. BIND can be configured by the administrator to be an authoritative nameserver, a recursive nameserver, or both. - [CNAME at the apex of a zone](https://kb.isc.org/docs/aa-01640.md): This article explains why you can't have a CNAME at the zone apex, and then discusses potential alternatives. - [What is an Empty Non-Terminal?](https://kb.isc.org/docs/what-is-an-empty-non-terminal.md): Nodes in the DNS can be terminal or non-terminal. DNS does not require that non-terminal segments of a domain name be in a separate zone. - [AXFR-style IXFR explained](https://kb.isc.org/docs/axfr-style-ixfr-explained.md): Incremental zone transfers (IXFRs) sometimes occur as full zone transfers (AXFRs). Here's why. - [Can an NS record refer to a CNAME?](https://kb.isc.org/docs/aa-00203.md): NS records cannot refer to CNAMEs. - [SVCB and HTTPS resource records - what are they?](https://kb.isc.org/docs/svcb-and-https-resource-records-what-are-they.md): SVCB and HTTPS DNS resource record explained - [RRset limits in zones](https://kb.isc.org/docs/rrset-limits-in-zones.md): Two new configuration statements have been added to BIND for version 9.20.0. They are configurable options to allow operators of secondary servers and recursive resolvers to set an upper bound on the growth of data in their zones or caches. - [Changes to be aware of in BIND 9.20](https://kb.isc.org/docs/bind-920-changes.md): Changes in BIND 9.20 that operators should be aware of - [Changes to be aware of when moving from BIND 9.16 to 9.18](https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918.md): Maintaining our process of continuous improvement, there have been some major changes in BIND between the two currently supported ESV versions - 9.16 and 9.18. This article summarises what those changes are so that you can go into this upgrade knowing which features are likely to affect your installation and what parameters you might need to adjust. - [Changes to be aware of when moving from BIND 9.11 to 9.16](https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916.md): This document lists changes in default settings and other significant changes that users upgrading from BIND 9.11 to BIND 9.16 should be aware of. - [Accessing the BIND git Repository Via Command Line](https://kb.isc.org/docs/aa-01009.md): Here are instructions on how to access the BIND GitLab repository via the command line. - [Operating statistics provided by BIND statistics channels](https://kb.isc.org/docs/aa-01123.md): BIND 9 has a statistics channel, which can be enabled to offer statistics to clients. - [Automatic DNSSEC Zone Signing Key rollover explained](https://kb.isc.org/docs/aa-00822.md): Since version 9.7, BIND has offered automatic Zone Signing Key rollovers. Here's how they work. - [Using DNSTAP with BIND](https://kb.isc.org/docs/aa-01342.md): dnstap is a fast, flexible method for capturing and logging DNS traffic. BIND 9 can be compiled with dnstap support enabled. - [What to do with a misbehaving BIND server](https://kb.isc.org/docs/aa-00341.md): Here's a checklist of things to try if BIND appears to be behaving abnormally. - [DNS cookies on servers in anycast clusters or behind load balancers](https://kb.isc.org/docs/dns-cookies-on-servers-in-anycast-clusters.md): A server in an anycast or load-balanced cluster may find that the server cookie it has cached appears to change arbitrarily. - [How can I check the default option values in named.conf?](https://kb.isc.org/docs/aa-00704.md): There isn't a single command for BIND 9 that will list all named.conf options and their default settings, but checking the defaults can sometimes be helpful. Check the ARM. - [Using Access Control Lists (ACLs) with both addresses and keys](https://kb.isc.org/docs/aa-00723.md): How can I configure allow-update to permit updates using ACLs? Read this and find out. - [Defining a named.conf ACL for 'any IPv6' address](https://kb.isc.org/docs/aa-00363.md): Is there a built-in ACL for named.conf that is for any IPv6 address? You can define one. - [Understanding views in BIND 9, with examples](https://kb.isc.org/docs/aa-00851.md): Views add complexity to a BIND configuration, but this article explains how that complexity can be managed and allow views to be used effectively. - [Using DSCP With BIND](https://kb.isc.org/docs/aa-00973.md): DSCP gives operators the ability to influence service differentiation by setting a specified value in the IPv4 or IPv6 headers of outgoing traffic sent by the BIND server. - [DNSSEC Validation the Easy Way](https://kb.isc.org/docs/aa-01182.md): Instructions on activating DNSSEC validation in a BIND resolver. In later versions of BIND, validation becomes the default. - [Gathering Information on BIND 9 Memory Usage](https://kb.isc.org/docs/aa-01208.md): It can be a challenge to pinpoint memory issues. Here is some useful data to collect before sending ISC a crash report. - [Using BIND's XML statistics-channels](https://kb.isc.org/docs/aa-00769.md): In addition to the output from rndc stats, BIND can be monitored via its XML-based statistics channels. - [Why do queries for NSEC3 records fail to return the NSEC3 record?](https://kb.isc.org/docs/aa-00289.md): Although NSEC3 records are present in a signed DNS zone, they are strictly metadata. - [How do DNS dynamic updates find the "right" server?](https://kb.isc.org/docs/aa-00653.md): DHCP clients and servers know which server to send DDNS updates to by querying DNS for the SOA record of the domain to which the dynamic update should be made. - [Root KSK Rollover in BIND](https://kb.isc.org/docs/aa-01525.md): On October 11, 2018 the root zone key-signing key was changed. A new key was introduced and used to sign the root zones DNSKEY RRset and the old key was removed. - [Limiting the size of journal (.jnl) files with max-journal-size](https://kb.isc.org/docs/aa-00374.md): You can use the max-journal-size configuration option to specify a maximum BIND journal size. - [Using DLZ in BIND](https://kb.isc.org/docs/aa-00995.md): Dynamically Loadable Zones (DLZ) allow BIND 9 to retrieve zone data from an external database. - [Root hints - a collection of operational and configuration FAQs](https://kb.isc.org/docs/aa-01309.md): This collection of FAQs aims to de-mystify root hints for new DNS administrators. - [BIND Logging - some basic recommendations](https://kb.isc.org/docs/aa-01526.md): Recommended settings and templates for effective and practical BIND 9 log files. - [DNS over TLS](https://kb.isc.org/docs/aa-01386.md): This article explains how to provide a DNS over TLS service using BIND 9 and stunnel, as well as set up a privacy aggregator. - [DNS Cookies in BIND 9](https://kb.isc.org/docs/aa-01387.md): DNS COOKIE is an Extended DNS (EDNS) option which allows clients to detect and ignore off-path spoofed responses, and servers to determine that a client's address is not spoofed. - [What's the difference between allow-query-cache and allow-recursion?](https://kb.isc.org/docs/aa-00503.md): allow-query governs who can send any query to the BIND 9 server, not just queries against authoritative data. - [My secondary server for both an internal and an external view has both views transferred from the same primary view - how to resolve?](https://kb.isc.org/docs/aa-00296.md): Current versions of BIND 9 have the "in-view" zone option to allow both views to use the same instance of the zone. - [How do I share a dynamic zone between multiple views?](https://kb.isc.org/docs/aa-00295.md): Choose one view to be primary and the other secondary, and transfer the zone between BIND views. - [How do I answer for a specific hostname in a zone, but resolve all its other names normally?](https://kb.isc.org/docs/aa-01190.md): A common wish among many sites with internal-only nameservers is the desire on an otherwise caching-only resolver to override one (or more) single name(s) from the Internet. - [I want to forward all DNS queries from my caching nameserver to another server but configure exceptions for some domains - how?](https://kb.isc.org/docs/aa-00302.md): Forwarding can be configured globally and per-zone. - [Using the GeoIP Features](https://kb.isc.org/docs/aa-01149.md): BIND 9 can limit access to various server functions based on the requestor's IP address, and can use GeoIP databases to get the presumed geographic location. - [How do I change the version that BIND reports when queried for version.bind?](https://kb.isc.org/docs/aa-00359.md): BIND servers respond to queries for name version.bind with record type TXT and class CHAOS. By default this is set to the version of BIND that has been installed. - [How do I configure multiple views to share the same recursive cache?](https://kb.isc.org/docs/aa-00835.md): The attach-cache option is used to configure cache-sharing between BIND 9 views. - [Getting started with BIND - how to build and run named with a basic recursive configuration](https://kb.isc.org/docs/aa-00768.md): This is a simple "first steps" primer to help users get started with BIND. - [How can I disable IPv6 recursive queries on my resolver?](https://kb.isc.org/docs/aa-00206.md): How do I stop my resolver from using IPv6 when doing recursion? - [I'm trying to compile BIND 9 and "make" is failing due to files not being found. Why?](https://kb.isc.org/docs/aa-00291.md): To build BIND 9, make sure you're not using a parallel or distributed "make". - [Can I have a TXT or SPF record longer than 255 characters?](https://kb.isc.org/docs/aa-00356.md): Can I have a TXT or SPF record longer than 255 characters? No. - [Which version of BIND do I want to download and install?](https://kb.isc.org/docs/aa-01540.md): There are multiple versions of BIND available for download from ISC's website - how should you decide which one is right for your production environment? - [dig versions and default EDNS UDP buffer size changes](https://kb.isc.org/docs/behavior-dig-versions-edns-bufsize.md): The default EDNS buffer size advertised by dig has changed in version 9.18 from previous versions.This difference can affect dig's results. - [BIND Memory Consumption Explained](https://kb.isc.org/docs/bind-memory-consumption-explained.md): BIND users upgrading from BIND 9.11 versions to 9.16 versions may notice memory consumption increases. This article explains BIND memory consumption in detail. - [Automatic empty zones (including RFC 1918 prefixes)](https://kb.isc.org/docs/aa-00800.md): BIND provides a number of empty zones that are automatically configured and loaded when named starts. - [How can I disable global forwarding for delegated subdomains?](https://kb.isc.org/docs/aa-00538.md): When a nameserver receives a recursive query, it first looks to see if it has the answer in cache or is authoritative for the domain. Global forwarding tells named not to attempt iterative resolution. - [Converting Zone Files Between Text and Raw Formats](https://kb.isc.org/docs/aa-00608.md): Zone file storage for secondary zones expects the raw zone format by default. There are two different ways to change the format. - [A short introduction to Catalog Zones](https://kb.isc.org/docs/aa-01401.md): Catalog Zones is a BIND feature allowing easy provisioning of zones to secondary servers. A "catalog zone" is a special DNS zone that contains a list of other zones to be served, along with their configuration parameters. - [Inline Signing in ISC BIND 9.9.0 -- Examples](https://kb.isc.org/docs/aa-00626.md): BIND 9.9 introduced a new inline-signing option for DNSSEC. - [How does BIND choose the primary for a zone refresh (zone timer or notify)?](https://kb.isc.org/docs/aa-01467.md): BIND secondary servers periodically refresh their zone content from one of the list of configured primaries. - [Rate-limiters for authoritative zone propagation](https://kb.isc.org/docs/rate-limiters-for-authoritative-zone-propagation.md): BIND provides three independent rate-limiters for the inter-server communications used to automatically trigger zone refreshes. - [serial-query-rate, notify-rate and startup-notify-rate: how they impact zone transfers in different versions of BIND](https://kb.isc.org/docs/aa-01313.md): To ensure that notifies and refreshes do not compete with each other, BIND has rate-limiting controls for the rate of notifies and of zone refreshes. - [Promoting a Secondary Server to Primary](https://kb.isc.org/docs/promoting-a-secondary-server-to-primary.md): If a primary server is offline for too long, it may be desirable to change a secondary server to a primary. Here's how. - [Managing Manual Multi-master or multi-primary](https://kb.isc.org/docs/managing-manual-multi-master.md): It is relatively simple to switch a BIND server from secondary to primary in real time. Here's how. - [How to change the nameservers for a zone](https://kb.isc.org/docs/aa-00331.md): For non-DNSSEC-signed zones, it is fairly simple to change the nameservers for a zone. Here's how. - [BIND Best Practices - Authoritative](https://kb.isc.org/docs/bind-best-practices-authoritative.md): Best practices for running BIND 9 as an authoritative DNS server - [How do I display the contents of a .signed zone file in human-readable format?](https://kb.isc.org/docs/aa-00546.md): BIND writes its backup signed zone file in raw format. Use named-checkzone to read the file contents in human-readable format. - [Why isn't nsupdate working from my Windows machine?](https://kb.isc.org/docs/aa-00492.md): Most UNIX editors automatically add an end-of-line character in text files, but many Windows editors don't. - [Why does my authoritative server make recursive queries?](https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries.md): Some authoritative-only server functions do not use recursion, while others do. This article lists some examples of each. - [DNSSEC Key States](https://kb.isc.org/docs/dnssec-key-states.md): An explanation on DNSSEC Key States, and how they are used to perform robust key rollovers. - [Private networks and split DNS](https://kb.isc.org/docs/private-networks-and-split-dns.md): This article discusses some of the things that might trip you up when deploying DNS in a private network, alongside publishing your own domain to the world in some public-facing DNS service. - [Choosing the right value for max-journal-size](https://kb.isc.org/docs/aa-01641.md): A good rule of thumb for max-journal-size is to choose a small multiple of the size of the primary file. - [DNSSEC signed zones - best practice guidance relating to NSEC3 signing and validation](https://kb.isc.org/docs/dnssec-signed-zones-best-practice-guidance-for-nsec3-iterations.md): DNSSEC-signed zones offer protection against response spoofing to both DNSSEC-validating resolvers and authoritative DNS zone operators who choose to sign their published zones. - [Adding a new Resource Record (RR) type to BIND 9](https://kb.isc.org/docs/aa-01140.md): BIND 9 was designed to make it relatively easy to add user defined resource record (RR) types, though you do need some understanding of C. - [How do I restrict only remote users from looking up the server version?](https://kb.isc.org/docs/aa-00308.md): BIND has a built-in view that can be set to restrict access to remote users. - [Why is the outcome different from dig when using the +trace option?](https://kb.isc.org/docs/aa-00208.md): By default dig will use the configured nameservers from /etc/resolv.conf (or one explicitly specified using the command syntax). Without +trace you are testing the ability of the target nameserver to resolve your query. - [Why does my recursive server have authoritative zones?](https://kb.isc.org/docs/why-does-my-recursive-server-have-authoritative-zones.md): Servers that are intended solely to provide a recursive service to clients will almost certainly also be operating with authoritative zones loaded from which authoritative query responses are provided. The existence of these authoritative zones means that a resolver cannot be considered to be exclusively using recursive operation with no authoritative functionality at all. - [PROXYv2 Support in BIND 9](https://kb.isc.org/docs/proxyv2-support-in-bind-9.md): The PROXYv2 protocol is designed to pass transport connection information, including source and destination addresses and ports, to a back-end system across multiple layers of NAT, TCP or UDP proxies and load balancers. - [BIND Best Practices - Recursive](https://kb.isc.org/docs/bind-best-practices-recursive.md): Best practices for running BIND 9 as a recursive DNS server - [Recursive Client Rate limiting](https://kb.isc.org/docs/aa-01304.md): The Recursive Client Rate limiting tuning option was added to BIND 9 in these open source branches. - [Recursive Client Rate limiting - FAQs](https://kb.isc.org/docs/aa-01316.md): Recursive Client Rate limiting provides tuning controls to optimize recursive server behavior for good client queries, while limiting the impact of bad client queries. - [How does clients-per-query work?](https://kb.isc.org/docs/aa-00463.md): named limits the number of clients that can simultaneously be querying for a particular name/type. The initial limit is clients-per-query. - [DNSSEC validation and BIND 9 cache](https://kb.isc.org/docs/aa-00912.md): In versions up to 9.9, validating recursive BIND servers sometimes had issues dealing with DNSSEC and signed zones. - [Trust levels for RRsets in BIND cache](https://kb.isc.org/docs/aa-01534.md): When a BIND resolver receives answers from authoritative servers, it uses trust levels defined in RFC 2181 to determine the preferred response. - [DNSSEC validation - how can I tell if my server is doing it?](https://kb.isc.org/docs/aa-01547.md): Check your named.conf files for these options that indicate DNSSEC validation. - [What does 'rndc nta' do and when should I use it?](https://kb.isc.org/docs/aa-01418.md): 'rndc nta' is used to temporarily disable DNSSEC validation for a domain. - [DNS Cache snooping - should I be concerned?](https://kb.isc.org/docs/aa-00482.md): DNS cache snooping is a technique by which parties can get information about previous queries. To prevent it, limit access to your recursive servers. - [BIND Trust Anchor Telemetry in BIND 9.9.10, 9.10.5 and 9.11.0](https://kb.isc.org/docs/aa-01528.md): BIND Trust Anchor Telemetry lets DNSSEC-validating resolvers signal which keys they have configured to the zone owners in which those keys reside. - [Early refresh of cache records (cache prefetch) in BIND](https://kb.isc.org/docs/aa-01122.md): With cache prefetch in BIND, the resolver can be set to ask for another copy of a cached record just before its current copy expires. - [The Umbrella feature in detail](https://kb.isc.org/docs/the-umbrella-feature-in-detail.md): This describes the feature that allows BIND to integrate with Umbrella services. - [Changes to serve-stale option stale-answer-client-timeout in BIND 9.19 and newer](https://kb.isc.org/docs/changes-to-serve-stale-option-stale-answer-client-timeout-in-bind-918-and-newer.md): In BIND 9.18.22 and newer, ISC is planning to limit the accepted values for serve-stale option stale-answer-client-timeout to 0 (zero) and disabled (also equivalent to off). - [UDP Listeners - choosing the right value for -U when starting named](https://kb.isc.org/docs/aa-01249.md): There's no one setting for the number of UDP listeners that's correct for every system; the best we can do is pick a value that works well in the largest number of circumstances. - [BIND 9 Software Vulnerability Matrix](https://kb.isc.org/docs/aa-00913.md): The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND. - [CVE-2026-5950: Unbounded resend loop in BIND 9 resolver](https://kb.isc.org/docs/cve-2026-5950.md): An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. - [CVE-2026-5947: SIG(0) validation during query flood may lead to undefined behavior](https://kb.isc.org/docs/cve-2026-5947.md): If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. - [CVE-2026-5946: Invalid handling of CLASS != IN](https://kb.isc.org/docs/cve-2026-5946.md): Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. - [CVE-2026-3593: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation](https://kb.isc.org/docs/cve-2026-3593.md): A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. - [CVE-2026-3592: Amplification vulnerabilities via self-pointed glue records](https://kb.isc.org/docs/cve-2026-3592.md): BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. - [CVE-2026-3591: A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass](https://kb.isc.org/docs/cve-2026-3591.md): A use-after-return vulnerability exists in the named server when handling DNS queries signed with SIG(0). - [CVE-2026-3119: Authenticated query containing a TKEY record may cause named to terminate unexpectedly](https://kb.isc.org/docs/cve-2026-3119.md): Under certain conditions, named may crash when processing a correctly signed query containing a TKEY record. - [CVE-2026-3104: Memory leak in code preparing DNSSEC proofs of non-existence](https://kb.isc.org/docs/cve-2026-3104.md): A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. - [CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY negotiation](https://kb.isc.org/docs/cve-2026-3039.md): BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. - [CVE-2026-1519: Excessive NSEC3 iterations cause high CPU load during insecure delegation validation](https://kb.isc.org/docs/cve-2026-1519.md): If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. - [CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly](https://kb.isc.org/docs/cve-2025-13878.md): Malformed BRID/HHIT records can cause named to terminate unexpectedly. An attacker can cause named to crash via queries that create corrupt records. - [CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling](https://kb.isc.org/docs/cve-2025-8677.md): Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. - [CVE-2025-40780: Cache poisoning due to weak PRNG](https://kb.isc.org/docs/cve-2025-40780.md): In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. - [CVE-2025-40778: Cache poisoning attacks with unsolicited RRs](https://kb.isc.org/docs/cve-2025-40778.md): Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. - [CVE-2025-40777: A possible assertion failure when using the 'stale-answer-client-timeout 0' option](https://kb.isc.org/docs/cve-2025-40777.md): If a named caching resolver is configured with serve-stale-enable yes, and with stale-answer-client-timeout set to 0 (the only allowable value other than disabled), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. - [CVE-2025-40776: Birthday Attack against Resolvers supporting ECS](https://kb.isc.org/docs/cve-2025-40776.md): A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver with ECS enabled is more vulnerable to successful cache poisoning via spoofed query responses than one that does not implement this feature. - [CVE-2025-40775: DNS message with invalid TSIG causes an assertion failure](https://kb.isc.org/docs/cve-2025-40775.md): When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. - [CVE-2024-12705: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load](https://kb.isc.org/docs/cve-2024-12705.md): By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This would significantly impair the resolver's performance and effectively deny legitimate clients access to the DNS resolution service. - [CVE-2024-11187: Many records in the additional section cause CPU exhaustion](https://kb.isc.org/docs/cve-2024-11187.md): It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. - [CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content](https://kb.isc.org/docs/cve-2024-4076.md): Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. - [CVE-2024-1975: SIG(0) can be used to exhaust CPU resources](https://kb.isc.org/docs/cve-2024-1975.md): If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. - [CVE-2024-1737: BIND’s database will be slow if a very large number of RRs exist at the same name](https://kb.isc.org/docs/cve-2024-1737.md): Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. - [CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable](https://kb.isc.org/docs/cve-2024-0760.md): A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. - [CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources](https://kb.isc.org/docs/cve-2023-50868.md): The processing of responses coming from DNSSEC-signed zones using NSEC3 can cause CPU exhaustion on a DNSSEC-validating resolver. By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. - [CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator](https://kb.isc.org/docs/cve-2023-50387.md): The processing of responses coming from specially crafted DNSSEC-signed zones can cause CPU exhaustion on a DNSSEC-validating resolver. By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. - [CVE-2023-6516: Specific recursive query patterns may lead to an out-of-memory condition](https://kb.isc.org/docs/cve-2023-6516.md): To keep its cache database efficient, named running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, named may not be able to handle the cleanup events in a timely manner. - [CVE-2023-5680: Cleaning an ECS-enabled cache may cause excessive CPU load](https://kb.isc.org/docs/cve-2023-5680.md): If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. - [CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution](https://kb.isc.org/docs/cve-2023-5679.md): A bad interaction between DNS64 and serve-stale may cause named to crash with an assertion failure during recursive resolution, when both of these features are enabled. - [CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled](https://kb.isc.org/docs/cve-2023-5517.md): A flaw in query-handling code can cause named to exit prematurely with an assertion failure when nxdomain-redirect ; is configured, and the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. - [CVE-2023-4408: Parsing large DNS messages may cause excessive CPU load](https://kb.isc.org/docs/cve-2023-4408.md): The DNS message parsing code in named includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected named instance by exploiting this flaw. - [CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load](https://kb.isc.org/docs/cve-2023-4236.md): A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. - [CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly](https://kb.isc.org/docs/cve-2023-3341.md): Control channel messages call certain functions recursively during packet parsing. A large recursion depth may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. - [CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0](https://kb.isc.org/docs/cve-2023-2911.md): CVE-2023-2911: If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly due to a stack overflow. - [CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled](https://kb.isc.org/docs/cve-2023-2829.md): CVE-2023-2829: A named instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (synth-from-dnssec) enabled can be remotely terminated using a zone with a malformed NSEC record. - [CVE-2023-2828: named's configured cache size limit can be significantly exceeded](https://kb.isc.org/docs/cve-2023-2828.md): CVE-2023-2828: By exploiting a specific flaw, an attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size statement is 90%, in the worst case the attacker can exhaust all available memory on the host running named, leading to a denial-of-service condition. - [CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code](https://kb.isc.org/docs/cve-2022-38178.md): CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code - [CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code](https://kb.isc.org/docs/cve-2022-38177.md): CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code - [CVE-2022-3924: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota](https://kb.isc.org/docs/cve-2022-3924.md): This issue can affect BIND 9 resolvers with stale-answer-enable yes; that also make use of the option stale-answer-client-timeout, configured with a value greater than zero. - [CVE-2022-3736: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries](https://kb.isc.org/docs/cve-2022-3736.md): BIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query. - [CVE-2022-3488: BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries](https://kb.isc.org/docs/cve-2022-3488.md): Processing of repeated responses to the same query, where both responses contain ECS pseudo-options, but where the first is broken in some way, can cause BIND to exit with an assertion failure. - [CVE-2022-3094: An UPDATE message flood may cause named to exhaust all available memory](https://kb.isc.org/docs/cve-2022-3094.md): Sending a flood of dynamic DNS updates may cause named to allocate large amounts of memory. This, in turn, may cause named to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. - [CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly](https://kb.isc.org/docs/cve-2022-3080.md): CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache - [CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)](https://kb.isc.org/docs/cve-2022-2906.md): CVE-2022-2906 Memory Leak in DH Code - [CVE-2022-2881: Buffer overread in statistics channel code](https://kb.isc.org/docs/cve-2022-2881.md): CVE-2022-2881: Buffer overread in statistics channel code - [CVE-2022-2795: Processing large delegations may severely degrade resolver performance](https://kb.isc.org/docs/cve-2022-2795.md): CVE-2022-2795: Processing large delegations may severely degrade resolver performance - [CVE-2022-1183: Destroying a TLS session early causes assertion failure](https://kb.isc.org/docs/cve-2022-1183.md): An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early. - [CVE-2022-0667: Assertion failure on delayed DS lookup ](https://kb.isc.org/docs/cve-2022-0667.md): While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down. This introduces the possibility of triggering an assertion failure, which could cause the BIND process to terminate. - [CVE-2022-0635: DNAME insist with synth-from-dnssec enabled](https://kb.isc.org/docs/cve-2022-0635.md): CVE-2022-0635: DNAME insist with synth-from-dnssec enabled - [CVE-2021-25220: DNS forwarders - cache poisoning vulnerability](https://kb.isc.org/docs/cve-2021-25220.md): CVE-2021-25220 - [CVE-2022-0396: DoS from specifically crafted TCP packets](https://kb.isc.org/docs/cve-2022-0396.md): ISC recently discovered an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is present in BIND 9.16.11 to 9.16.26 (including S editions), and 9.18.0. - [Security Matrices for Obsolete BIND Branches](https://kb.isc.org/docs/obsolete-bind-vulnerability-lists.md): Older versions of BIND generally do not receive updates for new vulnerabilities, but a matrix for each EOL branch is kept available for reference. - [BIND 9 Security Vulnerability Matrix - 9.16](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-916.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.16 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (April 2024) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.15](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-915.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.15 development branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (May 2020) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.14](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-914.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.14 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (May 2020) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.13](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-913.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.13 development branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (March 2019) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.12](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-912.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.10 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2018) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.11](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-911.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.11 branch during (or very shortly after) its lifetime. It is almost certain that it will be affected by some vulnerabilities discovered after the EOL date (March 2022) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.11-S](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-911-s.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.11-S Supported Preview branch during (or very shortly after) its lifetime. It is almost certain that it will be affected by some vulnerabilities discovered after the EOL date (March 2022) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.10-S](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-910-s.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.10 Supported Preview branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2018) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.10](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-910.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.10 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2018) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.9-S](https://kb.isc.org/docs/bind-9-security-vulnerability-matrix-99-s.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.9 Supported Preview branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2018) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.9](https://kb.isc.org/docs/bind-99-matrix.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.9 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2018) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.8](https://kb.isc.org/docs/aa-01586.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.8 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (September 2014) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.7](https://kb.isc.org/docs/aa-01585.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.7 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (November 2012) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.6/9.6-ESV Branches](https://kb.isc.org/docs/aa-01584.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.6/9.6-ESV branches during (or very shortly after) their lifetimes. They are known to be affected by some vulnerabilities discovered after the EOL date (February 2014) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.5 Branch](https://kb.isc.org/docs/aa-01583.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.5 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (September 2010) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.4/9.4-ESV Branches](https://kb.isc.org/docs/aa-01582.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.4/9.4-ESV branches during (or very shortly after) their lifetime. They are known to be affected by some vulnerabilities discovered after the EOL date (March 2012) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.3 Branch](https://kb.isc.org/docs/aa-01581.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.3 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (January 2009) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.2 Branch](https://kb.isc.org/docs/aa-01580.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.2 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (September 2007) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.1 Branch](https://kb.isc.org/docs/aa-01579.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.1 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2001) but those will not be listed here. - [BIND 9 Security Vulnerability Matrix - 9.0 Branch](https://kb.isc.org/docs/aa-01577.md): This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.0 branch during (or very shortly after) its lifetime. It is known to be affected by some vulnerabilities discovered after the EOL date (July 2001) but those will not be listed here. - [CVE-2021-25219: Lame cache can be abused to severely degrade resolver performance](https://kb.isc.org/docs/cve-2021-25219.md): Exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. - [CVE-2021-25218: A too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use](https://kb.isc.org/docs/cve-2021-25218.md): If named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active, an assertion failure is triggered (resulting in termination of the named server process). - [CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack](https://kb.isc.org/docs/cve-2021-25216.md): CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack - [CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself](https://kb.isc.org/docs/cve-2021-25215.md): CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself - [CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly](https://kb.isc.org/docs/cve-2021-25214.md): CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly - [CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack](https://kb.isc.org/docs/cve-2020-8625.md): CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack - [CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly](https://kb.isc.org/docs/cve-2020-8624.md): CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly - [CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c](https://kb.isc.org/docs/cve-2020-8623.md): CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c - [CVE-2020-8622: A truncated TSIG response can lead to an assertion failure](https://kb.isc.org/docs/cve-2020-8622.md): CVE-2020-8622: A truncated TSIG response can lead to an assertion failure - [CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c](https://kb.isc.org/docs/cve-2020-8621.md): CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c - [CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c](https://kb.isc.org/docs/cve-2020-8620.md): CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c - [CVE-2020-8619: An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c](https://kb.isc.org/docs/cve-2020-8619.md): CVE-2020-8619: An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c - [CVE-2020-8618: A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer](https://kb.isc.org/docs/cve-2020-8618.md): CVE-2020-8618: A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer - [CVE-2020-8617: FAQ and Supplemental Information](https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information.md): CVE-2020-8617: FAQ and Supplemental Information - [CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c](https://kb.isc.org/docs/cve-2020-8617.md): CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c - [CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals](https://kb.isc.org/docs/cve-2020-8616.md): CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals - [CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit](https://kb.isc.org/docs/cve-2019-6477.md): CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit - [CVE-2019-6476: An error in QNAME minimization code can cause BIND to exit with an assertion failure](https://kb.isc.org/docs/cve-2019-6476.md): CVE-2019-6476: An error in QNAME minimization code can cause BIND to exit with an assertion failure - [CVE-2019-6475: A flaw in mirror zone validity checking can allow zone data to be spoofed](https://kb.isc.org/docs/cve-2019-6475.md): CVE-2019-6475: A flaw in mirror zone validity checking can allow zone data to be spoofed - [CVE-2019-6471: A race condition when discarding malformed packets can cause BIND to exit with an assertion failure](https://kb.isc.org/docs/cve-2019-6471.md): CVE-2019-6471: A race condition when discarding malformed packets can cause BIND to exit with an assertion failure - [CVE-2019-6469: BIND Supported Preview Edition can exit with an assertion failure if ECS is in use](https://kb.isc.org/docs/cve-2019-6469.md): CVE-2019-6469: BIND Supported Preview Edition can exit with an assertion failure if ECS is in use - [CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used](https://kb.isc.org/docs/cve-2019-6468.md): CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used - [CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c](https://kb.isc.org/docs/cve-2019-6467.md): CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c - [CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective](https://kb.isc.org/docs/cve-2019-6465.md): CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective - [CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys](https://kb.isc.org/docs/cve-2018-5745.md): CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys - [CVE-2018-5744: A specially crafted packet can cause named to leak memory](https://kb.isc.org/docs/cve-2018-5744.md): CVE-2018-5744: A specially crafted packet can cause named to leak memory - [CVE-2018-5743: Limiting simultaneous TCP clients is ineffective](https://kb.isc.org/docs/cve-2018-5743.md): CVE-2018-5743: Limiting simultaneous TCP clients is ineffective - [CVE-2018-5741: Update policies krb5-subdomain and ms-subdomain](https://kb.isc.org/docs/cve-2018-5741.md): CVE-2018-5741: Update policies krb5-subdomain and ms-subdomain - [CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named](https://kb.isc.org/docs/aa-01639.md): CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named - [CVE-2018-5738: Some versions of BIND can improperly permit recursive query service to unauthorized clients](https://kb.isc.org/docs/aa-01616.md): CVE-2018-5738: Some versions of BIND can improperly permit recursive query service to unauthorized clients - [CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled](https://kb.isc.org/docs/aa-01606.md): CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled - [CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c](https://kb.isc.org/docs/aa-01602.md): CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c - [CVE-2018-5734: A malformed request can trigger an assertion failure in badcache.c](https://kb.isc.org/docs/aa-01562.md): CVE-2018-5734: A malformed request can trigger an assertion failure in badcache.c - [CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can cause named to crash](https://kb.isc.org/docs/aa-01542.md): CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can cause named to crash - [CVE-2017-3143: An error in TSIG authentication can permit unauthorized dynamic updates](https://kb.isc.org/docs/aa-01503.md): CVE-2017-3143: An error in TSIG authentication can permit unauthorized dynamic updates - [CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers](https://kb.isc.org/docs/aa-01504.md): CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers - [CVE-2017-3141: Windows service and uninstall paths are not quoted when BIND is installed](https://kb.isc.org/docs/aa-01496.md): CVE-2017-3141: Windows service and uninstall paths are not quoted when BIND is installed - [CVE-2017-3140: An error processing RPZ rules can cause named to loop endlessly after handling a query](https://kb.isc.org/docs/aa-01495.md): CVE-2017-3140: An error processing RPZ rules can cause named to loop endlessly after handling a query - [CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel](https://kb.isc.org/docs/aa-01471.md): CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel - [CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME](https://kb.isc.org/docs/aa-01466.md): CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME - [CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"](https://kb.isc.org/docs/aa-01465.md): CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" - [CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash](https://kb.isc.org/docs/aa-01453.md): CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash - [CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c](https://kb.isc.org/docs/aa-01442.md): CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c - [CVE-2016-9444: An unusually formed DS record response could cause an assertion failure](https://kb.isc.org/docs/aa-01441.md): CVE-2016-9444: An unusually formed DS record response could cause an assertion failure - [CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure](https://kb.isc.org/docs/aa-01440.md): CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure - [CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure](https://kb.isc.org/docs/aa-01434.md): CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure - [CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion](https://kb.isc.org/docs/aa-01439.md): CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion - [CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date](https://kb.isc.org/docs/aa-01433.md): A packet with a malformed options section can be used to deliberately trigger an assertion failure affecting versions of BIND which do not contain change #3548, which was first included in ISC BIND 9 releases in May 2013. - [CVE-2016-2776: Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request](https://kb.isc.org/docs/aa-01419.md): CVE-2016-2776: Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request - [CVE-2016-2775: A query name which is too long can cause a segmentation fault in lwresd](https://kb.isc.org/docs/aa-01393.md): If the lightweight resolver is asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length, the server can terminate due to an error. - [CVE-2016-2088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure](https://kb.isc.org/docs/aa-01351.md): CVE-2016-2088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure - [CVE-2016-1286: A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c](https://kb.isc.org/docs/aa-01353.md): An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. - [CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c](https://kb.isc.org/docs/aa-01352.md): Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the "rndc" server control utility). - [CVE-2016-1284: A REQUIRE assertion failure in rdataset.c can be deliberately triggered in servers performing NXDOMAIN redirection](https://kb.isc.org/docs/aa-01348.md): An error in handling flag values in incoming queries can be exploited to deliberately trigger a REQUIRE assertion failure in rdataset.c on servers using the "nxdomain-redirect" option in BIND 9 Supported Preview Edition. - [CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate](https://kb.isc.org/docs/aa-01336.md): In versions of BIND 9.10, errors can occur when OPT pseudo-RR data or ECS options are formatted to text. In 9.10.3 through 9.10.3-P2, the issue may result in a REQUIRE assertion failure in buffer.c. In prior 9.10 versions, it may result in named crashing (such as with a segmentation fault) or other misbehavior due to a buffer overrun. - [CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c](https://kb.isc.org/docs/aa-01335.md): A buffer size check used to guard against overflow could cause named to exit with an INSIST failure in apl_42.c. - [CVE-2015-8461: A race condition when handling socket errors can lead to an assertion failure in resolver.c](https://kb.isc.org/docs/aa-01319.md): Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c. - [CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c](https://kb.isc.org/docs/aa-01317.md): An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND 9, instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. - [CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c](https://kb.isc.org/docs/aa-01291.md): An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query. - [CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c](https://kb.isc.org/docs/aa-01287.md): Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. - [CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure](https://kb.isc.org/docs/aa-01272.md): An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit. - [CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating](https://kb.isc.org/docs/aa-01267.md): A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query. - [CVE-2015-1349: A Problem with Trust Anchor Management Can Cause named to Crash](https://kb.isc.org/docs/aa-01235.md): BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when encountering certain conditions in a managed trust anchor. - [CVE-2014-8680: Defects in GeoIP features can cause BIND to crash](https://kb.isc.org/docs/aa-01217.md): Multiple errors have been identified in the GeoIP features added in BIND 9.10. Two are capable of crashing BIND; triggering either can cause named to exit with an assertion failure, resulting in a denial of service condition. A third defect is also corrected, which could have caused GeoIP databases to not be loaded properly if their location was changed while BIND 9 was running. - [CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND](https://kb.isc.org/docs/aa-01216.md): By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.) - [CVE-2014-3859: BIND named can crash due to a defect in EDNS printing processing](https://kb.isc.org/docs/aa-01166.md): A query specially crafted to exploit a defect in EDNS option processing can cause named to terminate with an assertion failure. - [CVE-2014-3214: A Defect in Prefetch Can Cause Recursive Servers to Crash](https://kb.isc.org/docs/aa-01161.md): A defect in the pre-fetch feature (which is enabled by default) can cause BIND 9.10.0 to terminate with a "REQUIRE" assertion failure if it processes queries whose answers have particular attributes. This can be triggered as the result of normal query processing. - [CVE-2014-0591: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND](https://kb.isc.org/docs/aa-01078.md): Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect, an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones. - [CVE-2014-0591: FAQ and Supplemental Information](https://kb.isc.org/docs/aa-01085.md): This page provides supplemental information for the CVE-2014-0591 Security Advisory (CVE-2014-0591: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND). - [CVE-2013-6230: FAQ and Supplemental Information](https://kb.isc.org/docs/aa-01063.md): This page provides supplemental information for the CVE-2013-6230 Security Advisory (https://kb.isc.org/docs/aa-01062). - [CVE-2013-6230: A Winsock API Bug Can Cause a Side-Effect Affecting BIND ACLs](https://kb.isc.org/docs/aa-01062.md): A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List. - [CVE-2013-4854: A specially crafted query can cause BIND to terminate abnormally](https://kb.isc.org/docs/aa-01015.md): A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query. - [CVE-2013-4854: FAQ and Supplemental Information](https://kb.isc.org/docs/aa-01016.md): For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2013-3919: A recursive resolver can be crashed by a query for a malformed zone](https://kb.isc.org/docs/aa-00967.md): A bug has been discovered in the most recent releases of BIND 9 which has the potential for deliberate exploitation as a denial-of-service attack. By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit with a fatal "RUNTIME_CHECK" error in resolver.c. - [CVE-2013-3919: FAQ and Supplemental Information](https://kb.isc.org/docs/aa-00997.md): For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named](https://kb.isc.org/docs/aa-00871.md): A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine. - [CVE-2013-2266: FAQ and Supplemental Information](https://kb.isc.org/docs/aa-00879.md): For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ](https://kb.isc.org/docs/aa-00855.md): An error condition may occur when a nameserver which is configured to use DNS64 performs a AAAA lookup for a record with an A record rewrite rule in a Response Policy Zone (RPZ). If the RPZ is unable to provide a AAAA record for the name, but does provide a rewritten A record, then the DNS64 processing code will attempt to remap that A record into a AAAA record. - [CVE-2012-5166: Specially crafted DNS data can cause a lockup in named](https://kb.isc.org/docs/aa-00801.md): If specific combinations of RDATA are loaded into a nameserver, either via cache or an authoritative zone, a subsequent query for a related record will cause named to lock up. - [CVE-2012-5166 FAQ and Supplemental Information](https://kb.isc.org/docs/aa-00807.md): For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2012-4244: A specially crafted Resource Record could cause named to terminate](https://kb.isc.org/docs/aa-00778.md): If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a subsequent query for that record will cause named to exit with an assertion failure. - [CVE-2012-3868: High TCP Query Load Can Trigger a Memory Leak in BIND 9](https://kb.isc.org/docs/aa-00730.md): Under heavy incoming TCP query loads, named experiences a memory leak which may lead to significant reductions in query response performance. Additionally, this can trigger an automatic shutdown if named is running on a system that kills out-of-memory processes. - [CVE-2012-3817: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND 9](https://kb.isc.org/docs/aa-00729.md): BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. - [CVE-2012-5688: BIND 9 servers using DNS64 can be crashed by a crafted query](https://kb.isc.org/docs/aa-00828.md): BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers. - [CVE-2012-3817 FAQ and Supplemental Information](https://kb.isc.org/docs/aa-00766.md): For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2012-1667: Handling of zero length rdata can cause named to terminate unexpectedly](https://kb.isc.org/docs/aa-00698.md): Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. - [CVE-2012-1667 FAQ and Supplemental Information](https://kb.isc.org/docs/aa-00703.md): For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2012-1033: Ghost Domain Names: Revoked Yet Still Resolvable](https://kb.isc.org/docs/aa-00691.md): After completing our analysis of the DNS exploit reported by Professor Haixin Duan of Tsinghua University, ISC has determined that the behavior he describes, while verifiable, is due to design issues in the DNS protocol. No immediate steps are planned to address the issue. - [CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c](https://kb.isc.org/docs/aa-00544.md): An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit. - [CVE-2011-4313 FAQ and Supplemental Information](https://kb.isc.org/docs/aa-00549.md): For up to date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability. - [CVE-2011-2465: ISC BIND 9 Remote Crash With Certain RPZ Configurations](https://kb.isc.org/docs/aa-00458.md): A defect in the affected versions of BIND could cause the "named" process to exit when queried, if the server has recursion enabled and was configured with an RPZ zone containing certain types of records. - [CVE-2011-2464: ISC BIND 9 Remote Packet Denial of Service Against Authoritative and Recursive Servers](https://kb.isc.org/docs/aa-00457.md): A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. - [CVE-2011-1910: Large RRSIG RRsets and Negative Caching Can Crash named](https://kb.isc.org/docs/aa-00459.md): In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. - [CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones](https://kb.isc.org/docs/aa-00460.md): When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash. - [CVE-2011-0414: BIND -- Server Lockup Upon IXFR or DDNS Update Combined With High Query Rate](https://kb.isc.org/docs/aa-00461.md): When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition. - [CVE-2010-3762: failure to handle bad signatures if multiple trust anchors configured](https://kb.isc.org/docs/aa-00935.md): If BIND, acting as a DNSSEC validating server, has two or more trust anchors configured in named.conf for the same zone (such as example.com) and the response for a record in that zone from the authoritative server includes a bad signature, the validating server will crash while trying to validate that query. - [CVE-2010-3615: allow-query processed incorrectly](https://kb.isc.org/docs/aa-00937.md): When named is running as an authoritative server for a zone and receives a query for that zone data, it first checks for allow-query acls in the zone statement, then in that view, then in global options. If none of these exist, it defaults to allowing any query (allow-query {"any"};). - [CVE-2010-3613: cache incorrectly allows a ncache entry and a rrsig for the same type](https://kb.isc.org/docs/aa-00938.md): Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST). - [CVE-2010-0218: Unexpected ACL Behavior in BIND 9.7.2](https://kb.isc.org/docs/aa-00934.md): There was a flaw where the wrong ACL was applied. This flaw could allow access to a cache via recursion even though the ACL disallowed it. - [CVE-2010-0213: RRSIG query handling bug in BIND 9.7.1](https://kb.isc.org/docs/aa-00933.md): If a query is made explicitly for a record of type 'RRSIG' to a validating recursive server running BIND 9.7.1 or 9.7.1-P1, and the server has one or more trust anchors configured statically and/or via DLV, then if the answer is not already in cache, the server enters a loop which repeatedly generates queries for RRSIGs to the authoritative servers for the zone containing the queried name. - [CVE-2010-0097: BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses](https://kb.isc.org/docs/aa-00932.md): There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set. - [CVE-2010-3614: Key algorithm rollover bug in BIND 9](https://kb.isc.org/docs/aa-00936.md): named, acting as a DNSSEC validator, was determining if an NS RRset is insecure based on a value that could mean either that the RRset is actually insecure or that there wasn't a matching key for the RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY RRset. - [CVE-2009-4022: BIND 9 Cache Update from Additional Section](https://kb.isc.org/docs/aa-00931.md): A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query with checking disabled (CD), or when the nameserver internally triggers a query for missing records for recursive name resolution. - [CVE-2009-0025: EVP_VerifyFinal() and DSA_do_verify() return checks](https://kb.isc.org/docs/aa-00925.md): It is theoretically possible to spoof answers returned from zones whose DNSKEY algorithms are affected by a recently disclosed OpenSSL issue. - [CVE-2009-0696: BIND Dynamic Update DoS](https://kb.isc.org/docs/aa-00926.md): Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. - [CVE-2008-1447: DNS Cache Poisoning Issue ("Kaminsky bug")](https://kb.isc.org/docs/aa-00924.md): The DNS protocol uses the Query ID field to match incoming responses to previously sent queries. The Query ID field is only 16 bits, which makes it an easy target to exploit in the particular spoofing scenario described by Dan Kaminsky. - [CVE-2008-0122: Buffer overflow in inet_network()](https://kb.isc.org/docs/aa-00923.md): An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs. - [CVE-2007-2926: cryptographically weak query ids](https://kb.isc.org/docs/aa-00921.md): The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker. - [CVE-2007-2925: allow-query-cache/allow-recursion default acls not set](https://kb.isc.org/docs/aa-00920.md): The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. - [CVE-2007-0493: Denial of service via unspecified vectors that cause "dereference a freed fetch context"](https://kb.isc.org/docs/aa-00917.md): It is possible for the named to dereference (read) a freed fetch context. This can cause named to exit unintentionally. - [CVE-2007-0494: Denial of service via ANY query response containing multiple RRsets.](https://kb.isc.org/docs/aa-00918.md): When validating responses to type * (ANY) queries that return multiple RRsets in the answer section it is possible to trigger assertions checks. To be vulnerable you need to have enabled DNSSEC validation in named.conf by specifying trusted-keys. - [CVE-2007-2241: Sequence of queries can cause a recursive nameserver to exit](https://kb.isc.org/docs/aa-00919.md): A sequence of queries can cause a recursive nameserver to exit. While it is unlikely these will occur in normal operation, an attack can use them to cause the affected versions to exit. This attack is a denial of service, and does not allow an attacker to gain control of affected systems. - [CVE-2006-4096: BIND vulnerable to an INSIST failure via sending of multiple recursive queries](https://kb.isc.org/docs/cve-2006-4096.md): It is possible to trigger a INSIST failure by sending enough recursive queries that the response to the query arrives after all the clients looking for the response have left the recursion queue. - [CVE-2006-4095: Assertion failure when querying for SIG records](https://kb.isc.org/docs/aa-00916.md): Queries for SIG records will trigger a assertion failure if more than one SIG(covered) RRset is returned. - [CVE-2005-0034: BIND: Self-check failing](https://kb.isc.org/docs/aa-00958.md): An incorrect assumption in the validator (authvalidated) can result in a REQUIRE (internal consistancy) test failing and named exiting. - [CVE-2002-0400: DoS internal consistency check (DoS_findtype)](https://kb.isc.org/docs/aa-00950.md): BIND 9 before 9.2.1 allows remote attackers to cause a denial of service (shutdown) via a malformed DNS packet that triggers an error condition that is not properly handled when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL, aka DoS_findtype. - [CVE-2012-5166 \[CN\]: 特意构造的DNS数据可导致服务器被锁定](https://kb.isc.org/docs/aa-00818.md): N/A - [CVE-2012-3868 \[CN\]: TCP 请求负载过高将触发 BIND9 的内存泄露](https://kb.isc.org/docs/aa-00759.md): N/A - [CVE-2012-3817 \[CN\]: 大量 DNSSEC 验证查询或可触发 Bind9“内存毁坏”失败声明](https://kb.isc.org/docs/aa-00757.md): N/A - [CVE-2013-2266 \[DE\]: Eine spezifisch erstellte Regular Expression kann den Speicher in named erschöpfen](https://kb.isc.org/docs/aa-00883.md): N/A - [CVE-2012-5688 \[DE\]: BIND 9 Server, die DNS64 benutzen, können durch eine spezifische Abfrage zum Absturz gebracht werden](https://kb.isc.org/docs/aa-00833.md): N/A - [CVE-2012-3817 \[DE\]: Hohe Last in der DNSSEC Verifizierung kann einen "Bad Cache" Assertion Fehler in BIND9 verursachen](https://kb.isc.org/docs/aa-00743.md): N/A - [CVE-2012-3868 \[DE\]: Hohe TCP Abfrage Belastung kann ein Speicherleck in BIND 9 verursachen](https://kb.isc.org/docs/aa-00742.md): N/A - [CVE-2013-2266 \[ES\]: Una Expresión Regular Construída Maliciosamente Puede Ocasionar Agotamiento de Memoria en named](https://kb.isc.org/docs/aa-00882.md): N/A - [CVE-2012-5689 \[ES\]: BIND 9 con DNS64 habilitado puede terminar inesperadamente resolviendo dominios en RPZ](https://kb.isc.org/docs/aa-00859.md): N/A - [CVE-2012-5688 \[ES\]: Servidores BIND 9 usando DNS64 pueden ser detenidos por consultas construidas particularmente](https://kb.isc.org/docs/aa-00834.md): N/A - [CVE-2012-5166 \[ES\]: Datos especialmente construidos en DNS pueden causar el bloqueo de named](https://kb.isc.org/docs/aa-00814.md): N/A - [CVE-2012-3868 \[ES\]: Alto volumen de consultas TCP puede desencadenar pérdida de memoria en BIND 9](https://kb.isc.org/docs/aa-00751.md): N/A - [CVE-2012-3817 \[ES\]: Alta carga de validaciones DNSSEC puede causar una falla de aserción "Bad Cache" en BIND 9](https://kb.isc.org/docs/aa-00750.md): N/A - [CVE-2013-4854 \[JP\]: 特別に細工されたクエリによってBINDが異常終了する](https://kb.isc.org/docs/aa-01023.md): N/A - [CVE-2013-2266 \[JP\]: 不正に細工された正規表現によってnamedがメモリ不足になる](https://kb.isc.org/docs/aa-00881.md): N/A - [CVE-2012-5689 \[JP\]: DNS64を有効にしたBIND 9がRPZの名前解決時に予期せず停止する](https://kb.isc.org/docs/aa-00857.md): N/A - [CVE-2012-5688 \[JP\]: DNS64を利用するBIND 9サーバが細工されたクエリによってクラッシュする](https://kb.isc.org/docs/aa-00832.md): N/A - [CVE-2012-5166 \[JP\]: 特別に細工されたDNSのデータによるnamedのハングアップ](https://kb.isc.org/docs/aa-00808.md): N/A - [CVE-2012-3868 \[JP\]: 高負荷のTCPクエリによってBIND 9にメモリリークが発生する](https://kb.isc.org/docs/aa-00753.md): N/A - [CVE-2012-3817 \[JP\]: 高負荷のDNSSEC検証によってBIND9に"Bad Cache"表明違反が発生する](https://kb.isc.org/docs/aa-00752.md): N/A - [CVE-2013-4854 \[PT\]: A specially crafted query can cause BIND to terminate abnormally](https://kb.isc.org/docs/aa-01021.md): N/A - [CVE-2013-2266 \[PT\]: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named](https://kb.isc.org/docs/aa-00884.md): N/A - [CVE-2012-5689 \[PT\]: BIND 9 com DNS64 habilitado pode terminar inesperadamente quando resolver domínios em RPZ](https://kb.isc.org/docs/aa-00863.md): N/A - [BIND 8 Security Vulnerability Matrix](https://kb.isc.org/docs/aa-00959.md): This table summarizes the vulnerability to the bugs mentioned for all released versions of BIND 8 as of 2008. BIND 8 may be vulnerable to any or all of the BIND CVEs released since. - [CVE-2007-2930: cryptographically weak DNS query IDs (BIND 8)](https://kb.isc.org/docs/aa-00922.md): ISC BIND 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches. - [CVE-2005-0033: BIND: q_usedns array overrun](https://kb.isc.org/docs/aa-00957.md): A buffer overflow can cause the server to exit. - [CVE-2003-0914: BIND: Negative Cache DOS (negcache)](https://kb.isc.org/docs/aa-00956.md): A maliciously configured name server can trick a resolver into caching false no-such-name responses for long periods of time. - [CVE-2002-1221: BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times](https://kb.isc.org/docs/aa-00954.md): Remote attackers can cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. - [CVE-2002-1220: Assertion failure with large UDP size for nonexistent subdomain](https://kb.isc.org/docs/aa-00953.md): Remote attackers can cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. - [CVE-2002-1219: BIND: Remote Execution of Code (sigrec)](https://kb.isc.org/docs/aa-00955.md): When constructing a response containing SIG records an incorrect space allows a write buffer overflow. It is then possible to execute code with whatever privileges the server process has. - [CVE-2002-0651: libbind buffer overflow](https://kb.isc.org/docs/aa-00951.md): Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers. - [CVE-2001-0013: Format string vulnerability in nslookupComplain()](https://kb.isc.org/docs/aa-00947.md): Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. - [CVE-2001-0012: Infoleak](https://kb.isc.org/docs/aa-00949.md): It is possible to construct a inverse query that allows the stack to be read, remotely exposing environment variables. - [CVE-2001-0011: Buffer overflow in nslookupComplain()](https://kb.isc.org/docs/aa-00948.md): Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. - [CVE-2001-0010: tsig bug](https://kb.isc.org/docs/aa-00946.md): It is possible to overflow a buffer handling TSIG signed queries, thereby obtaining access to the system. - [CVE-2000-0888: srv bug](https://kb.isc.org/docs/aa-00944.md): A bug in the handling of the compression pointer tables can result in the name server entering an infinite loop. - [CVE-2000-0887: zxfr bug](https://kb.isc.org/docs/aa-00945.md): A bug in code intended to provide support for the transfer of compressed zone files can result in the name server crashing. - [CVE-1999-0851: naptr bug](https://kb.isc.org/docs/aa-00941.md): Improper validation of zone data for the NAPTR record. - [CVE-1999-0849: maxdname bug](https://kb.isc.org/docs/aa-00940.md): The use of sprintf() with data from the network can result in a buffer overflow condition which may result in unexpected behavior. - [CVE-1999-0848: fdmax bug](https://kb.isc.org/docs/aa-00943.md): Denial of service in BIND named via consuming more than "fdmax" file descriptors. - [CVE-1999-0835: sig bug](https://kb.isc.org/docs/aa-00942.md): Denial of service in BIND named via malformed SIG records. - [CVE-1999-0833 - nxt bug](https://kb.isc.org/docs/aa-00939.md): Buffer overflow in BIND 8.2 via NXT records. - [What has changed in the behavior of "allow-recursion" and "allow-query-cache"](https://kb.isc.org/docs/aa-00269.md): Since 9.4.1-P1, unless an ACL is explicitly specified in the "allow-recursion" statement, the default access list is set to "localnets; localhost;". - [Why is my secondary server trying sometimes to use a different source IP address for zone transfers?](https://kb.isc.org/docs/aa-00904.md): There are several configuration options in named.conf that control which IPv4 and/or IPv6 source addresses are used for the SOA refresh queries and for the zone transfers themselves. See the Administrator Reference Manual for more details. - [BIND 9.18-S Edition ARM](https://kb.isc.org/docs/bind-918-s-edition-arm.md): A recent version of the Administrative Reference Manual (ARM) for the -S edition of BIND is shared here, to facilitate understanding of what the -S Edition offers. - [An Overview of BIND 9 Documentation](https://kb.isc.org/docs/aa-01031.md): The BIND 9 Administrator Reference Manual is found with the source downloads and at https://bind9.readthedocs.io/en/latest/index.html - [When I do a "dig . ns", many of the A records for the root servers are missing. Why?](https://kb.isc.org/docs/aa-00280.md): When BIND 9 first starts up and primes its cache, it receives the root server addresses as additional data in an authoritative response from a root server. - [How do I run BIND 9 on Apple Mac OS X?](https://kb.isc.org/docs/aa-00312.md): Instructions for running BIND 9 on Mac OS X - [How to bind to port 53 when using 'named -u bind' with FreeBSD](https://kb.isc.org/docs/aa-00621.md): Instructions on how to allow named to bind to port 53 - [I have FreeBSD 4.x and "rndc-confgen -a" just sits there.](https://kb.isc.org/docs/aa-00313.md): Use rndcontrol(8) to tell the kernel to use certain interrupts as a source of random events. - [I get the following error trying to configure BIND: checking if unistd.h or sys/types.h defines fd_set...](https://kb.isc.org/docs/aa-00314.md): The C compiler on your system may not meet the minimum requirements to install BIND. - [Listening on individual IPv6 interfaces does not work](https://kb.isc.org/docs/aa-00321.md): Mount another instance of "proc" in the chroot file system. - [Why can't named update secondary zone database files, secondary journal files and primary zones from journals?](https://kb.isc.org/docs/aa-00320.md): By default, named is not allowed by the SELinux security policy to write, create, or delete files except in specific locations. - [I get the error message "named: capset failed: Operation not permitted" when starting named.](https://kb.isc.org/docs/aa-00319.md): The Linux capability module needs to be loaded into the kernel. - [Why does BIND 9 log "permission denied" errors accessing its configuration files or zones on my Linux system?](https://kb.isc.org/docs/aa-00318.md): On Linux, BIND 9 drops most of its root privileges on startup, including the privilege to open files owned by other users. - [Why do I see 4 (or more) copies of named on Linux?](https://kb.isc.org/docs/aa-00317.md): Each Linux thread shows up as a process. - [Why does named lock up when it attempts to connect over IPSEC tunnels?](https://kb.isc.org/docs/aa-00316.md): This is the result of a kernel bug. - [Why do I get the following errors: general: errno2result.c:109: unexpected error:general: unable to convert errno to isc_result](https://kb.isc.org/docs/aa-00315.md): This error is the result of a Linux kernel bug. - [Why won't 'patch' install the patch that ISC has sent me?](https://kb.isc.org/docs/aa-00511.md): On Solaris, use "gpatch" instead. - [Building BIND for Solaris](https://kb.isc.org/docs/aa-00209.md): BIND is a direct drop-in for the default Solaris distribution if it is built with certain configure options. - [Zone transfers from my BIND 9 primary to my Windows 2000 secondary fail. Why?](https://kb.isc.org/docs/aa-00330.md): These failures may be caused by a bug in the Windows 2000 DNS server which caused DNS messages larger than 16KB to be handled incorrectly. - [I get "Error 1067" when starting named under Windows.](https://kb.isc.org/docs/aa-00325.md): This is the service manager saying that named exited; the Application Log in EventViewer will tell you why. - [Windows zip files for BIND 9](https://kb.isc.org/docs/aa-01392.md): ISC currently ships one set of Windows zip files for BIND 9 for both production and debug. We have discontinued producing images for Windows 32 bit. - [Why does my authoritative-only nameserver try to query the root nameservers?](https://kb.isc.org/docs/aa-00914.md): If your authoritative zones contain NS records for servers that are not within any zones that you manage or have delegated to, when your zone data is updated, by default, your server will attempt to notify the other primaries. - [How does BIND know what addresses to use?](https://kb.isc.org/docs/aa-00420.md): By default, BIND scans the network interface list every 60 minutes and stops listening on any interfaces that it finds unavailable. This can be overridden. - [Operational Notification: Impact of Stricter Glue Checking](https://kb.isc.org/docs/strict-glue.md): BIND versions released in October 2025 included changes in how BIND processes referrals in delegations. Operators should be aware. - [Operational Notification: BIND 9.20 defect in QPzone implementation](https://kb.isc.org/docs/operational-notification-bind-920-defect-in-qpzone-implementation.md): ISC received several reports concerning an assertion failure involving DNSSEC-signed zones using NSEC3. Upon investigation, ISC engineers found a serious bug in the QPzone implementation which had been introduced in BIND 9.20. Although this specific assertion only occurs in 9.20.4, the underlying defect has been present in QPzone since 9.20.0 and could potentially lead to other unexpected interactions and outcomes. - [Operational Notification: NSEC3 hash iterations should be minimised](https://kb.isc.org/docs/nsec3-hash-iterations-should-be-minimised.md): This notification describes a recommended change in DNSSEC practice relating to authoritative zones that are DNSSEC-signed using NSEC3. Although we are issuing this advisory to users of BIND, the advice therein is also applicable to authoritative zone operators using other DNS implementations. - [Operational Notification: BIND 9.16.20, 9.17.17, and 9.16.20-S1 can trigger an assertion failure when reading zone data stored in map format](https://kb.isc.org/docs/map-zone-format-incompatibility-in-bind-9-16-20-and-9-17-17.md): A change to the map zone file format that was introduced in August 2021 releases (9.16.20, 9.17.17, and version 9.16.20-S1 of BIND Supported Preview Edition) mistakenly failed to change the API version of the storage format. As a consequence, affected BIND versions can exit with an assertion failure when loading zones if those zones are stored in the map zone file format and were originally written by a BIND version produced prior to August 2021. - [Operational Notification: LMDB integration problems with BIND 9.11.0 and 9.11.1](https://kb.isc.org/docs/aa-01497.md): Operational Notification: LMDB integration problems with BIND 9.11.0 and 9.11.1 - [Operational Notification: Zone journal (.jnl) file incompatibility after upgrading to BIND 9.16.12 and 9.17](https://kb.isc.org/docs/operational-notification-zone-journal-jnl-file-incompatibility-after-upgrading-to-bind-91612-and-917.md): Operational Notification: Zone journal (.jnl) file incompatibility after upgrading to BIND 9.16.12 and 9.17 - [Operational Notification: Enabling new BIND option stale-answer-client-timeout can result in unexpected server termination](https://kb.isc.org/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination.md): Operational Notification: Enabling new BIND option stale-answer-client-timeout can result in unexpected server termination - [Operational Notification: An error in handling TCP client quota limits can exhaust TCP connections in BIND 9.16.0](https://kb.isc.org/docs/operational-notification-an-error-in-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160.md): Operational Notification: An error in handling TCP client quota limits can exhaust TCP connections in BIND 9.16.0 - [Operational Notification: Change 4892 exposed multiple problems affecting DNSSEC inline-signing](https://kb.isc.org/docs/change-4892-exposed-multiple-problems-affecting-dnssec-inline-signing.md): Operational Notification: Change 4892 exposed multiple problems affecting DNSSEC inline-signing - [Operational Notification: "update-policy local" was named misleadingly and could permit non-local DDNS updates](https://kb.isc.org/docs/aa-01599.md): Operational Notification: "update-policy local" was named misleadingly and could permit non-local DDNS updates - [Operational Notification: KSK-2010 will be retired from the root zone, potentially affecting validating resolvers](https://kb.isc.org/docs/aa-01529.md): Operational Notification: KSK-2010 will be retired from the root zone, potentially affecting validating resolvers - [Operational Notification: A party that is allowed control over zone data can overwhelm a server by transferring huge quantities of data.](https://kb.isc.org/docs/aa-01390.md): Operational Notification: A party that is allowed control over zone data can overwhelm a server by transferring huge quantities of data. - [Operational Notification: RPZ crashes (BIND 9.10)](https://kb.isc.org/docs/aa-01265.md): Operational Notification: RPZ crashes (BIND 9.10) - [Operational Notification: Changes in GCC Code Optimization Can Cause a Crash in BIND](https://kb.isc.org/docs/aa-01167.md): Operational Notification: Changes in GCC Code Optimization Can Cause a Crash in BIND - [Operational Notification: A Vulnerability in the SRTT Algorithm affects BIND 9 Authoritative Server Selection](https://kb.isc.org/docs/aa-01030.md): Operational Notification: A Vulnerability in the SRTT Algorithm affects BIND 9 Authoritative Server Selection - [Operational Notification: synth-from-dnssec may cause slow resolution on resolvers under certain cache conditions](https://kb.isc.org/docs/operational-notification-synth-from-dnssec-may-cause-slow-resolution-on-resolvers-under-certain-cache-conditions.md): Operational Notification: synth-from-dnssec may cause slow resolution on resolvers under certain cache conditions - [Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination](https://kb.isc.org/docs/aa-01627.md): Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination - [Operational Notification: Some releases of BIND 9.12 are too strict when handling referrals](https://kb.isc.org/docs/some-releases-of-bind-9-12-are-too-strict-when-handling-referrals-with-non-empty-answer-sections.md): Operational Notification: Some releases of BIND 9.12 are too strict when handling referrals - [Operational Notification: DNSSEC key deletion may create broken NSEC and NSEC3 chains and unnecessary RRSIGs](https://kb.isc.org/docs/dnssec-key-deletion-may-create-broken-nsec-and-nsec3-chains-and-unnecessary-rrsigs.md): Operational Notification: DNSSEC key deletion may create broken NSEC and NSEC3 chains and unnecessary RRSIGs - [Operational Notification: Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, & 9.9.0](https://kb.isc.org/docs/aa-00664.md): Operational Notification: Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, & 9.9.0 - [My access controls using default ACL localhost don't do quite what I expect.](https://kb.isc.org/docs/aa-00419.md): The built-in BIND Access Control List (ACL) localhost matches the IPv4 and IPv6 addresses of all network interfaces on the system. - [A Note About BIND Release Notes](https://kb.isc.org/docs/a-note-about-bind-release-notes.md): BIND Release Notes - [BIND 9.11 branch](https://kb.isc.org/docs/bind-911-branch.md): This document summarizes new features and functional changes that have been introduced on the BIND 9.11 branch. With each release leading up to the final BIND 9.11.x release, this document will be updated with additional features added and bugs fixed. Some details included in the release notes published for each version have been deleted for brevity. The original release notes for each 9.11.x version are available in the ftp.isc.org archives. - [BIND 9 End-of-Life Dates](https://kb.isc.org/docs/bind-9-end-of-life-dates.md): BIND 9 version history. EOL, End-of-Life dates. - [Should I use rndc reconfig or rndc reload when changing my nameserver configuration files?](https://kb.isc.org/docs/aa-00640.md): If you make a change to your named.conf and want named to start using it, use rndc reconfig to load any new zones. rndc reload reloads only the updated zones. - [How do I restrict people from looking up the server version?](https://kb.isc.org/docs/aa-00307.md): By default, BIND servers answer a query with information about the server version. This can be overridden. - [I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while receiving responses: permission denied" error messages.](https://kb.isc.org/docs/aa-00301.md): These indicate a filesystem permission error preventing named from creating / renaming the temporary file. - [What do the log entries 'adb: grow_entries ..' mean?](https://kb.isc.org/docs/aa-00706.md): The ADB hash table is a potential resource bottleneck, so it was dynamically re-sized starting in BIND 9.8 according to usage levels. - [What causes "refresh: failure trying master ...: operation canceled" error messages?](https://kb.isc.org/docs/aa-01213.md): On some Linux systems running BIND as a secondary, zones can get behind and error messages are logged. - [What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?](https://kb.isc.org/docs/aa-00204.md): Be careful to follow RFC 1918 usage rules and make sure you're not leaking queries to the Internet. - [What do +EDC and other letters I see in my query log mean?](https://kb.isc.org/docs/aa-00434.md): +EDC in a query log means that it is recursive, the sender is using EDNS0, the sender understands DNSSEC, and validation checking is disabled. - [Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: ran out of space"?](https://kb.isc.org/docs/aa-00305.md): This is often caused by TXT records with missing close quotes. - [Since upgrading to BIND 9.9 I'm seeing "maximum number of FD events (64) received"](https://kb.isc.org/docs/aa-00716.md): To prevent this message from being logged constantly, you can increase the default number of events when you build BIND. - [What does "no source of entropy found" or "could not open entropy source foo" mean?](https://kb.isc.org/docs/aa-00309.md): BIND servers require a source of entropy to perform certain DNSSEC operations. - [I get "rndc: connect failed: connection refused" when I try to run rndc.](https://kb.isc.org/docs/aa-00300.md): This is usually a configuration error. - [I get error messages like "multiple RRs of singleton type" and "CNAME and other data" when transferring a zone?](https://kb.isc.org/docs/aa-00297.md): These indicate a malformed master zone. - [I see errors like "zone example.com/IN: loading primary file zonefiles/example.com: no owner".](https://kb.isc.org/docs/aa-00299.md): This error is produced when a line in a zone file contains leading white space (tabs/spaces) but there is no current record owner name to inherit the name from. - [I get error messages like "named.conf:99: unexpected end of input" where 99 is the last line of named.conf.](https://kb.isc.org/docs/aa-00298.md): This means there are unbalanced quotes in the named.conf file. - [Why does named log the warning message "no TTL specified - using SOA MINTTL instead"?](https://kb.isc.org/docs/aa-00303.md): This is a warning that your zone file is malformed. - [What does 'maximum number of FD events ... received' mean?](https://kb.isc.org/docs/aa-00508.md): "maximum number of FD events" means that when BIND checked to see if any sockets are ready to be read from, there were more than 64 of them. - [What does named log message "deleted from unreachable cache" mean?](https://kb.isc.org/docs/aa-00765.md): BIND maintains a cache of unreachable primaries to which it refers when handling a zone refresh. - [Background info about 'maximum number of FD events' log messages](https://kb.isc.org/docs/aa-00464.md): Log messages reading "maximum number of FD events received" mean that named found more than 64 sockets to be read. - [Why does named log an error '3bf305731dd26307.nzf: file not found' when starting up?](https://kb.isc.org/docs/aa-00903.md): This error was seen when creating new zone files in older versions of BIND. - [Why does named log an error 'disabling RFC 1918 empty zones' when starting up?](https://kb.isc.org/docs/aa-00804.md): This error sometimes appeared in EOL versions of BIND. If you see it, please upgrade. - [Why is BIND logging "adb: grow_entries to " and "adb: grow_names to "?](https://kb.isc.org/docs/aa-00548.md): These are informational messages about the resizing of hash tables used by recursive servers. - [What does "isc_socket_create: fcntl/reserved: Too many open files" mean?](https://kb.isc.org/docs/aa-00345.md): These errors are typically seen on recursive servers and indicate that the limit on the number of open file descriptors has been reached. - [I see a log message like the following. Why? couldn't open pid file '/varunamed.pid': Permission denied](https://kb.isc.org/docs/aa-00304.md): You are most likely running named as a non-root user and that user does not have permission to write in /var/run. - [Why does BIND log messages about disabling EDNS or reducing the advertised packet size?](https://kb.isc.org/docs/aa-00708.md): What do these messages mean and is there any problem that might be caused by them? - [Why am I seeing this message: 'named' uses 32-bit capabilities (legacy support in use) ?](https://kb.isc.org/docs/aa-00823.md): A "named uses 32-bit capabilities" warning can be safely ignored, although most administrators will want to resolve the underlying problem being highlighted - which is either that named is not using libcap at all, or that it is using the 32-bit libcap library. It is the libcap2 package that provides full 64-bit support. BIND needs to be built with libcap2 to resolve the warning. - [Why does rndc log warning key file ... exists, but using default configuration file (rndc.conf)?](https://kb.isc.org/docs/aa-00722.md): After upgrading BIND to a current version, you might be surprised to see a warning when using rndc commands. - [I get warning messages like "zone example.com/IN: refresh: failure trying primary 1.2.3.4#53: timed out".](https://kb.isc.org/docs/aa-00282.md): How to troubleshoot communication issues between primary and secondary authoritative servers. - [I keep getting log messages like the following. Why? Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied](https://kb.isc.org/docs/aa-00279.md): Some log error messages may mean that someone is trying to update your DNS zone without permission. Check your named configuration. - [pkcs_C_Login: Error = 0x00000005 - what does it mean?](https://kb.isc.org/docs/aa-01338.md): This is a generic error passed back to BIND by the PKCS#11 code as a result of an error on an HSM. - [Why does named log "error sending response"?](https://kb.isc.org/docs/aa-00717.md): Sometimes on busy servers, named is unable to send a client response and logs error messages. - [Why does named log error 22/Invalid argument quoting an IPv6 address starting with fe80: ?](https://kb.isc.org/docs/aa-00537.md): Another name server administrator has mistakenly added their link-local IPv6 address to their nameserver configuration, and is advertising it publicly. - [What causes "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone"](https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing.md): When named is starting up after upgrading from an earlier version of BIND 9.16 or 9.18, named may reject a zone configuration that had previously been acceptable. - [Why don't my zones reload when I do an "rndc reload" or SIGHUP?](https://kb.isc.org/docs/aa-00281.md): A zone can be updated either by editing zone files and reloading the server or by dynamic update, but not both. If you have enabled dynamic update for a zone using the "allow-update" option or by using "update-policy", you are not supposed to edit the zone file by hand, and the server will not attempt to reload it. - [How does BIND 9 use memory to store DNS zones?](https://kb.isc.org/docs/aa-00287.md): When reloading a zone named may have multiple copies of the zone in memory at one time: the zone it is serving and the one it is loading. If reloads are ultra-fast it can have more still, e.g. ones that are transferring out, the one that it is serving, and the one that is loading. - [Isn't "make install" supposed to generate a default named.conf?](https://kb.isc.org/docs/aa-00290.md): There's no single default configuration of named that will suit every need, so the configuration needs to be customized for your installation. - [I'm trying to use TSIG to authenticate dynamic updates or zone transfers but the server is rejecting the TSIG - why?](https://kb.isc.org/docs/aa-00310.md): Sometimes TSIG authentication errors in BIND can be caused by clock skew. - [Will named be affected by changes to daylight savings rules in my location?](https://kb.isc.org/docs/aa-00285.md): Most computers keep track of time using UTC , so Daylight Saving Time rules do not usually affect named operations. - [Why are queries for some PTR records no longer forwarded since upgrading to BIND 9.9.0?](https://kb.isc.org/docs/aa-00803.md): This behavior may be encountered due to the introduction of automatic empty zones for RFC 1918 prefixes if you are using IP addresses within the RFC 1918 private address space. - [Stub zones don't work when primaries are configured for "minimal-responses yes;"](https://kb.isc.org/docs/stub-zones-dont-work-when-primaries-are-configured-for-minimal-responses-yes.md): When a stub zone is configured in named, it seems not to work if the zones in the primary server list are configured with "minimal-responses yes;". - [I can query the nameserver from the nameserver but not from other machines. Why?](https://kb.isc.org/docs/aa-00311.md): Firewall configuration may stop the queries from and/or the replies to the BIND server. - [What is the Response Rate Limiting Feature in BIND?](https://kb.isc.org/docs/aa-01148.md): Response Rate Limiting is a DNS enhancement that helps mitigate amplification attacks. - [Using the Response Rate Limiting Feature](https://kb.isc.org/docs/aa-00994.md): RRL, or Response Rate Limiting, is an enhancement to the DNS protocol which serves as a mitigation tool for the problem of DNS amplification attacks. - [A Quick Introduction to Response Rate Limiting](https://kb.isc.org/docs/aa-01000.md): RRL, or Response Rate Limiting, is an enhancement to implementations of the DNS protocol that can help mitigate DNS amplification attacks. - [NXDOMAIN Redirection Using DLZ in BIND 9.10 and later](https://kb.isc.org/docs/aa-01150.md): NXDOMAIN redirection is a BIND feature that allows a recursive server to replace an NXDOMAIN response to a query with a configured answer of its own. - [BIND 9.9 redirect zones (for NXDOMAIN redirection)](https://kb.isc.org/docs/aa-00376.md): NXDOMAIN redirection lets a BIND recursive server replace an NXDOMAIN response to a query with a configured answer of its own. - [Using BIND's GeoIP Features](https://kb.isc.org/docs/aa-00971.md): BIND can restrict access using a GeoIP database. - [Is it possible to configure BIND to use both IPv6 and IPv4 on the same server?](https://kb.isc.org/docs/aa-00821.md): By default, BIND (prior to version 9.10) did not listen for client queries on IPv6, but it could be enabled. In newer versions of BIND, it is the default. - [In-line Signing With NSEC3 in BIND 9.9+ -- A Walk-through](https://kb.isc.org/docs/aa-00711.md): BIND 9.9 added a new method of zone signing, "inline signing," that creates signed zones with NSEC3 records. - [I don't get RRSIG's returned when I use "dig +dnssec" - why is this?](https://kb.isc.org/docs/aa-00205.md): Most likely, the zone is not signed. - [DNS Flag Day - will it affect you?](https://kb.isc.org/docs/dns-flag-day-will-it-affect-you.md): ISC and other DNS software and service providers will all cease implementing resolver workarounds to accommodate authoritative systems that don’t follow the EDNS protocol, as of February 2019. - [Introducing the named-rrchecker tool](https://kb.isc.org/docs/aa-01127.md): The named-rrchecker tool can verify and convert the syntax of individual resource records. - [9.16 DNSSEC validation automatic trust anchor management](https://kb.isc.org/docs/916-dnssec-validation-automatic-trust-anchor-management.md): Here are some tips on managing trust anchors, the public keys associated with the private keys used to sign a zone. - [Adding DKIM Records with BIND9](https://kb.isc.org/docs/aa-00725.md): DKIM -- short for "DomainKeys Identified Mail" -- is a mechanism that provides integrity controls over parts of an email transmission. - [Filter AAAA option in BIND 9](https://kb.isc.org/docs/aa-00576.md): When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions. This filtering does not affect the recursive queries made by the server (if any) as a result of the client request. - [Address database dump (ADB) - understanding the fields and what they represent](https://kb.isc.org/docs/aa-01463.md): The Address database is where named tracks details that it has learned about the behavior and responsiveness of other servers that it contacts so that it can optimize its future resolver actions in order to provide clients as quickly as possible with the answers they need, and reduce expending resources on repeated resolver queries that have failed previously. - [Case-Insensitive Response Compression May Cause Problems With Mixed-Case Data and Non-Conforming Clients](https://kb.isc.org/docs/aa-01113.md): BIND uses case-sensitive compression when responding to queries, but an ACL can override the default. - [How does tcp-clients work since the fix for CVE-2018-5743](https://kb.isc.org/docs/how-does-tcp-clients-work.md): BIND provides a named.conf option for limiting the number of simultaneous TCP client connections. - [Changes to NS RRset caching strategy in BIND 9.6-ESV-R6, 9.7.5, 9.8.2 and 9.9.0](https://kb.isc.org/docs/aa-00620.md): named remembers the TTL of the NS RRset when looking up records in a zone and trims the TTL of any NS RRset in the response to that value. - [DNS Flag Day - ednscomp tests and status codes](https://kb.isc.org/docs/ednscomp-tests-and-status-codes.md): ednscomp tests and equivalent dig commands - [Why does rndc reconfig sometimes resolve recursive server problems with some domains?](https://kb.isc.org/docs/aa-00213.md): Sometimes operators of recursive servers need to use rndc reconfig to clear problems associated with poorly configured DNS servers. - [What is dyndb and how is it better than DLZ?](https://kb.isc.org/docs/aa-01420.md): dyndb is a plug-in interface for BIND for custom zone data providers. Both DLZ and dyndb allow for custom zone data providers, but they work differently. - [New Features in BIND 9.10](https://kb.isc.org/docs/aa-01118.md): RRL by default, map format, RPZ performance, early prefetch, ACLs, and more. - [What does 'BITWS' mean?](https://kb.isc.org/docs/aa-00547.md): "Bump in the wire signing," or the serial number of the unsigned version of a zone. - [IPv6 Changes in BIND 9.11.0, BIND 9.10.4 and BIND 9.9.9.](https://kb.isc.org/docs/aa-01349.md): BIND 9.11.0, BIND 9.10.4, and BIND 9.9.9 introduced two IPv6-related changes. - [Why does dig report one more record in the additional section of a query response than I am seeing?](https://kb.isc.org/docs/aa-01059.md): The dig utility has always counted the OPT pseudo-record in the count of additional records, but dig has new defaults. - [Can I extract the key tag from a DNSKEY obtained via dig?](https://kb.isc.org/docs/aa-00610.md): dig +multi and dig +rrcomments show the key tag (key id), and both options provide more key information than was available with 9.8.2 dig. - [nsupdate in BIND 9.9.6, 9.10.0 and 9.10.1 fail to resolve the SOA MNAME in some cases](https://kb.isc.org/docs/aa-01220.md): A minor bug fix in some EOL versions of BIND introduced a regression that made the nsupdate utility fail to resolve. - [Eleven, twelve; dig and delv: BIND 9.10](https://kb.isc.org/docs/aa-01152.md): BIND 9.10 introduced a new debugging tool as a successor to dig. So, of course, we had to name it delv. It works like dig but understands DNSSEC better. - [Using Response Policy Zones to disable Mozilla DoH-by-default](https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default.md): Some network admins don't want their users' DNS queries rerouted. Here's how to use Response Policy Zones to disable DoH. - [Testing authoritative server support for EDNS and large UDP buffer sizes in BIND 9.10](https://kb.isc.org/docs/aa-01350.md): The EDNS fallback code was reworked in BIND 9.10 to make it more resilient and reliable. - [Why are my logs in GMT (UTC)?](https://kb.isc.org/docs/aa-00306.md): System-wide configurations for local time zone settings are commonly set via configuration files, which vary between operating systems. - [Dynamic Zone File Audit Logs in BIND 9](https://kb.isc.org/docs/enabling-audit-logs-in-bind-9.md): Is it possible to enable the audit logs on BIND so we can track changes performed at the DNS records level (Add/Delete/Modify A,MX,NS, records)? - [Logrotate Settings in BIND 9](https://kb.isc.org/docs/logrotate-settings-in-bind-9.md): Some of our users have asked how to rotate their (traditional, non DNSTAP) logs for BIND 9 to achieve per-day logs. - [How to determine BIND query rates (qps)](https://kb.isc.org/docs/aa-00559.md): BIND produces some basic statistics that can be output to a file. - [prefetch performance in BIND 9.10](https://kb.isc.org/docs/aa-01315.md): A new feature, cache prefetch, unfortunately introduced a design defect in BIND 9.10 that was not initially caught. It was fixed in 9.10.4. - [Linux connection tracking and DNS](https://kb.isc.org/docs/aa-01183.md): My busy Linux-based nameserver is giving unreasonably slow responses. How do I know if Linux connection tracking is causing the problem I am having? - [ISC's DNSSEC Look-Aside Validation Registry](https://kb.isc.org/docs/iscs-dnssec-look-aside-validation-registry.md): DNSSEC Look-Aside Validation was a transition mechanism in early DNSSEC to allow signing and validation of a domain whose parent was not DNSSEC-signed. - [Hardware Security Modules That Work with BIND 9](https://kb.isc.org/docs/hardware-security-modules-that-work-with-bind-9.md): These Hardware Security Modules are known to work with BIND 9. - [How do I flush or delete incorrect records from my recursive server cache?](https://kb.isc.org/docs/aa-01002.md): Sometimes a recursive server may have incorrect records in its cache. Here's how to delete them. - [DNS Flag Day - Notes for Authoritative Zone Owners and DNS Hosting Companies](https://kb.isc.org/docs/dns-flag-day-notes-for-authoritative-zones.md): On DNS Flag Day 2019, vendors of recursive name servers will stop releasing new software that accommodates ancient or broken authoritative servers and firewalls. - [Tuning your BIND configuration effectively for zone transfers (particularly with many frequently-updated zones)](https://kb.isc.org/docs/aa-00726.md): There are two types of zone transfer - full (AXFR) and incremental (IXFR). - [PKCS#11 in BIND 9](https://kb.isc.org/docs/bind-9-pkcs11.md): The PKCS#11 support in BIND 9 comes in two flavors: native and OpenSSL-based. This page describes the OpenSSL-based method. - [Disable dnssec-lookaside (DLV) now - here's how](https://kb.isc.org/docs/disable-dnssec-lookaside-dlv-now-heres-how.md): ISC's DNSSEC Look-Aside Validation Registry was a temporary tool to assist those adopting DNSSEC signed zones and validation. It is now obsolete. - [--with-tuning=large - about using this build-time option](https://kb.isc.org/docs/aa-01314.md): This option allows operators to tune BIND for better performance in high-memory machines, by setting various constants and defaults. - [Exporting statistics to Prometheus](https://kb.isc.org/docs/exporting-statistics-to-prometheus.md): It is possible to use the Stork User Agent running on your BIND servers to stream statistics to a Prometheus database for analysis and graphing. - [Serve-stale Implementation Details](https://kb.isc.org/docs/serve-stale-implementation-details.md): Details of the logic for applying serve-stale, prefetch, and fetch-limits in BIND 9. - [QNAME Minimization and Spamhaus](https://kb.isc.org/docs/qname-minimization-and-spamhaus.md): A recent thread on the bind-users mailing list discussed an issue with QNAME minimization and Spamhaus's DNS servers. The issue appears to be non-RFC-compliant responses from Spamhaus's DNS servers. - [RRL on queries to the built-in _bind view](https://kb.isc.org/docs/rrl-on-queries-to-the-built-in-bind-view.md): On servers that do not have Response Rate Limiting (RRL) configured, administrators may still see evidence of rate-limiting being logged. - [Setting Journal Size for Secondary Servers](https://kb.isc.org/docs/setting-journal-size-for-secondary-servers.md): The journal reduces the cost of rewriting complete zone files; the IXFR gets appended to the journal. - [DNSSEC Key and Signing Policy](https://kb.isc.org/docs/dnssec-key-and-signing-policy.md): Since BIND 9.16 there is a new way to maintain DNSSEC. - [Migrating from OpenDNSSEC to BIND 9](https://kb.isc.org/docs/migrating-from-opendnssec-to-bind-9.md): With OpenDNSSEC reaching End-of-Life, this article aims to help with the transition to BIND 9 for those who wish to do so. In BIND 9 you can configure a DNSSEC Key and Signing Policy (KASP), allowing you to specify all DNSSEC signing behavior in one place. This is the same approach as with OpenDNSSEC. - [Monitoring Recommendations for BIND 9](https://kb.isc.org/docs/monitoring-recommendations-for-bind-9.md): BIND has two mechanisms for publishing usage statistics, the static 'named.stats' file and the statistics channel. - [When does rndc reconfig flush the cache?](https://kb.isc.org/docs/aa-00836.md): Why does rndc reconfig flush the cache sometimes but not on other occasions? - [BIND 9 Technical Contributors' Guide](https://kb.isc.org/docs/bind-9-technical-contributors-guide.md): Steps to follow if you would like to contribute to BIND 9 code. - [Why is rndc dumpdb very slow (taking an unexpectedly long time to complete)?](https://kb.isc.org/docs/aa-01454.md): The control command rndc dumpb -all causes named to write out the contents of cache and authoritative zones from memory into a text file. Sometimes it's slow. - [checkhints: unable to get root NS rrset from cache: not found](https://kb.isc.org/docs/checkhints-unable-to-get-root-ns-rrset-from-cache-not-found.md): This warning indicates that the root NS RRset has been primed in cache but named is unable to access the new entries. - [Lame servers - what are they and how does BIND deal with them?](https://kb.isc.org/docs/lame-servers-what-are-they-and-how-does-bind-deal-with-them.md): Lame servers are authoritative DNS servers where the 'parent' system does not include a record for that domain. - [ixfr-from-differences - pitfalls and genuine use cases](https://kb.isc.org/docs/ixfr-from-differences-pitfalls-and-genuine-use-cases.md): Operators of authoritative BIND DNS servers may be aware of the option ixfr-from-differences that can be used to generate and maintain a journal (.jnl) file of incremental differences, tracking the changes that have been made to the zone content over time. - [Using private or internal DNS zones - guidance and best practice](https://kb.isc.org/docs/using-private-name-space.md): For some organisations, it may be desirable to add private, internal names to their DNS - that is, names that can be resolved only by their internal nameservers. When setting these up, it is important to be aware of potential pitfalls and to follow good practices in order to avoid name resolution and operational problems for users and applications. - [Collecting client queries for DNS server testing](https://kb.isc.org/docs/collecting-client-queries-for-dns-server-testing.md): This article shares the recipe we use (and suggest to others) for effectively capturing client query streams whilst also randomising the client sources so that the data can be shared safely with other organisations without exposing client IP addresses. - [BIND option reuseport](https://kb.isc.org/docs/bind-option-reuseport.md): BIND 9.16 and newer are able to take advantage of kernel load-balancing of server sockets on systems which support it, including Linux and FreeBSD. This is enabled by default. - [EDNS Client Subnet (ECS) for Resolver Operators - Getting Started](https://kb.isc.org/docs/edns-client-subnet-ecs-for-resolver-operators-getting-started.md): ISC has implemented EDNS Client Subnet (ECS) for Resolvers in the BIND Supported Preview (-S) edition. To help Resolver Operators to get started with ECS, here are some things that it is helpful to understand before making the first configuration changes. - [BIND block options](https://kb.isc.org/docs/bind-block-options.md): The options block does not have to be present in the BIND configuration file, if there are no options to set, or to change from their default values. - [BIND block topmost](https://kb.isc.org/docs/bind-block-topmost.md): Topmost is used as a placeholder at the topmost level of the configuration hierarchy, to describe the area(s) in which other statements can be used. - [BIND statement forwarders](https://kb.isc.org/docs/bind-statement-forwarders.md): The forwarders statement allows users to define lists of addresses. Each list is named and can be referenced by this name. - [BIND statement fetches-per-zone](https://kb.isc.org/docs/bind-statement-fetches-per-zone.md): This statement limits the number of simultaneous queries permitted to any one domain before named blocks new queries for data in or beneath that domain. The value should reflect how many fetches would normally be sent to any one domain in the time it would take to resolve them and should be smaller than recursive-clients. - [Kea API and Control Sockets](https://kb.isc.org/docs/kea-api-sockets.md): This article introduces the Kea API and discusses the architecture of how it is presented, via control sockets, the direct API, and the KCA. - [Kea Significant Features Matrix](https://kb.isc.org/docs/aa-01615.md): Kea DHCP server significant features - [Kea Hook Libraries](https://kb.isc.org/docs/kea-hook-libraries.md): Kea hooks are separate libraries that can be optionally installed with Kea to provide additional functionality. Some of the Kea hooks are licensed under the MPL 2.0 open source license, and are packaged with the open source distribution of the core Kea daemons. Other Kea hooks are licensed under a commercial license and are distributed in bundles as Kea Premium Hooks, Kea Subscriber Hooks, and Kea Enterprise Hooks. - [Standard DHCP Options Defined in ISC DHCP and Kea](https://kb.isc.org/docs/standard-dhcp-options.md): These tables show which standard options are supported in ISC DHCP and Kea DHCP server software. - [Kea Documentation](https://kb.isc.org/docs/kea-administrator-reference-manual.md): Kea DHCP comes with an Administrator Reference Manual for users. - [Installing the Kea Premium Hook Libraries from Sources - Kea 2.6.4 and older](https://kb.isc.org/docs/installing-the-kea-premium-hook-libraries-from-sources-kea-264-and-older.md): This article explains how to download and install the Kea Premium hook libraries for Kea DHCP versions 2.6.4 and earlier. - [Installing the Kea Subscriber Hook Libraries from Sources - Kea 3.0.0 and later](https://kb.isc.org/docs/installing-the-kea-subscriber-hook-libraries-from-sources.md): These instructions will help you build and install the hook libraries for Kea DHCP versions 3.0.0 and later. - [Using Official ISC Packages for Kea](https://kb.isc.org/docs/isc-kea-packages.md): Instructions for installing pre-built binary packages for RPM, Debian-type and Alpine OSes, plus Docker images. Includes guides for all current versions of Kea DHCP. - [Fetching Kea Sources](https://kb.isc.org/docs/installing-kea.md): Instructions for installing Kea via package repositories or from source code. - [Kea install on CentOS 7 using ISC repositories](https://kb.isc.org/docs/kea-install-on-centos-7-using-isc-repositories.md): Instructions for installing Kea DHCP. - [Kea 1.5 build on Debian 9 (EOL)](https://kb.isc.org/docs/kea-build-on-debian.md): Instructions for building Kea DHCP on Debian. - [Kea build on Ubuntu](https://kb.isc.org/docs/kea-build-on-ubuntu.md): Instructions for building Kea DHCP on Ubuntu. - [Migrating Kea to a New MySQL Database Server](https://kb.isc.org/docs/kea-mysql-host-migration.md): How to migrate a Kea database from one MySQL/MariaDB server to another - [Changes to Be Aware of When Migrating to Kea 2.6.0](https://kb.isc.org/docs/changes-to-be-aware-of-when-migrating-to-kea-2-6-0.md): Helpful hints for users upgrading to Kea 2.6.0, including changes and removed/deprecated parameters - [Upgrading to a Newer Version of Kea](https://kb.isc.org/docs/upgrading-kea-to-newer-version.md): How to upgrade your DHCP system to a new version of Kea software. - [Upgrading Packages Beyond Kea 2.3.2](https://kb.isc.org/docs/upgrading-packages-beyond-kea-232.md): Installing ISC packages for Kea, for versions 2.3.2 and later. - [Upgrading to Kea 1.6](https://kb.isc.org/docs/upgrading-to-kea-16.md): Users of Kea DHCP 1.5 can use this guide to help them upgrade. - [Things to be aware of when upgrading to Kea 3.0.0](https://kb.isc.org/docs/things-to-be-aware-of-when-upgrading-to-kea-300.md): The release of the Kea 3.0 branch brings with it many changes users need to know about. Users are encouraged to read this article and the release notes before upgrading! - [Kea Configuration Introduction](https://kb.isc.org/docs/kea-configuration-sections-explained.md): This is an introduction to the components of the Kea DHCP configuration file, with examples. - [Using Kea Config File Includes](https://kb.isc.org/docs/kea-conf-include.md): Kea features an extension to JSON that allows the contents of one file to be included in another file. This can be used to simplify Kea management. - [Redefining Standard Options](https://kb.isc.org/docs/redefining-standard-options.md): Since DHCPv4 has been around for so long, some of the option numbers that were unused in the past have later been defined by an RFC for some purpose. - [Altering the Subnet Mask Option Based on giaddr](https://kb.isc.org/docs/altering-the-subnet-mask-option-based-on-giaddr.md): Increasingly, we have been asked how to assign a /32 netmask in DHCPv4. This is, apparently, an address saving scheme. Kea automatically computes the appropriate value for option 1 or "subnet-mask" based on the content of the subnet statement. - [Kea HA Strategies Comparison](https://kb.isc.org/docs/kea-ha-strategies-comparison.md): Kea's High Availability hook is the recommended solution for high availability operation. The Kea HA hook works by pairing Kea servers in either an active-active or active-passive collaboration scheme. Each Kea server can monitor the other and assume responsibility for answering on behalf of the other server in case of failure. - [Kea Shared Lease Database Quickstart](https://kb.isc.org/docs/kea-shared-lease-database-quickstart.md): In some cases, administrators may want to configure Kea to use the "Shared Lease Database" High Availability method. This method has certain advantages when compared to the HA Hook. The advantages and disadvantages of each method are covered in the Kea HA Strategies Comparison document. In this document, the focus will be on configuring the Shared Lease Database method in Kea. - [Kea HA Quickstart Guide](https://kb.isc.org/docs/kea-ha-quickstart-guide.md): New Kea users often want to setup redundancy. The HA hook documentation is complicated because the feature is powerful with many modes and options available. This quickstart guide will describe how to setup, test, and tune the HA hook in the "Hot-Standby" mode. - [Kea HA Hub & Spoke Experimentation](https://kb.isc.org/docs/kea-ha-hub-spoke-experimentation.md): A common configuration of failover in ISC DHCP was the "hub and spoke" model, where there was a central (hub) server that had a failover relationship with several satellite servers (sometimes called branch or spokes) at geographically disparate locations. This article is an exploration of what is possible with the "hub and spoke" model and is a result of testing each relationship represented here. - [Kea Configuration for Small Office or Home Use](https://kb.isc.org/docs/kea-configuration-for-small-office-or-home-use.md): This article provides a basic Kea configuration for small office or home users. This simple configuration should be useful, although your specific situation may be more complex. - [Kea Configuration for Cable Providers](https://kb.isc.org/docs/kea-configuration-for-cable-providers.md): Sample Kea configuration for a small, simple cable service provider - [Ports used by Kea](https://kb.isc.org/docs/kea-ports.md): This article summarizes the TCP and UDP ports (service ports) used by the Kea DHCP server. - [Kea: Use unique databases](https://kb.isc.org/docs/kea-unique-databases.md): When configuring Kea to use a database for storage of leases or host reservations, use a unique database for each Kea server. - [Kea Logging Configuration](https://kb.isc.org/docs/kea-logging-configuration.md): In Kea, log messages are controlled through what are known as "loggers." Basically, these are names which group together logs from specific parts of Kea. Logging provides a way to funnel messages of a specific type to a specific destination. - [Kea Configuration for a Simple, Single-site Organization](https://kb.isc.org/docs/single-site-organization.md): Kea configuration template for simple, single-site organization - [Building a Kea testbed with NETCONF](https://kb.isc.org/docs/building-a-kea-testbed-with-netconf.md): Instructions on installing Kea, Sysrepo, NETCONF, and Netopeer2 for testing on nearly all Linux distributions. - [Do I need to use shared-networks or not with Kea DHCP?](https://kb.isc.org/docs/do-i-need-to-use-shared-networks-or-not-with-kea-dhcp.md): Shared networks are a way to tell the DHCP server that all of the subnets specified inside a single shared-network can be considered equal. But there's more. - [Facilitating Classification with Template Classes](https://kb.isc.org/docs/facilitating-classification-with-template-classes.md): Client classification helps with differentiating between clients. It can be used to change the behavior of many parts of DHCP message processing. - [Kea DHCPv6 Design Considerations](https://kb.isc.org/docs/kea-dhcpv6-design-considerations.md): Here are some tips for administering Kea's DHCPv6 server. - [Sending Commands to Kea via HTTP](https://kb.isc.org/docs/sending-commands-to-kea-via-http.md): When sending a command via HTTP, you must specify whether it's addressed to dhcpv4, dhcpv6, or the control agent itself, via the 'service' parameter. - [Kea HA timer settings](https://kb.isc.org/docs/kea-ha-timer-settings.md): Kea High Availability server pairs continuously exchange heartbeat messages. There are two tuning parameters. - [Setting queue-capacity in Kea](https://kb.isc.org/docs/setting-queue-capacity-in-kea.md): DHCP queue controls in Kea mitigate a problem that may occur when a large number of devices reboot at once, flooding the DHCP server with requests. - [Subnet Selection and Client Classes](https://kb.isc.org/docs/subnet-selection-and-client-classes.md): Client class statements selectively block access to certain subnets. - [Understanding Client Classification](https://kb.isc.org/docs/understanding-client-classification.md): Client classification is a stateless DHCP packet pre-processing mechanism to examine an incoming packet's contents and associate it with a class. This article describes some of the ways client classification can be used in Kea DHCP. - [Using Host Reservations in Kea](https://kb.isc.org/docs/what-are-host-reservations-how-to-use-them.md): Host reservations, also known as "address reservations" or "static reservations," allow a DHCP resource to be reserved for a device. - [Using the Kea Configuration Backend](https://kb.isc.org/docs/using-the-kea-configuration-backend.md): The Kea DHCP configuration backend offers scalable DHCP configuration management via a database. - [Using the Kea DHCP DROP class](https://kb.isc.org/docs/using-the-kea-dhcp-drop-class.md): Sometimes clients send DHCP packets that you would like your DHCP server to ignore. The DROP class can help. - [Getting started with Galera or Percona for Kea](https://kb.isc.org/docs/getting-started-with-galera-or-percona-for-kea.md): This document provides instructions for setting up a working database cluster for use as a Kea lease backend, or any other type of Kea backend. - [Experimental MySQL clusters for Kea](https://kb.isc.org/docs/experimental-mysql-clusters-for-kea.md): MySQL supports multiple database storage engines. InnoDB is the default engine and the one that Kea is designed to work with. - [Kea and the 767 bytes limit in MySQL](https://kb.isc.org/docs/kea-767-bytes-limit-mysql.md): When using a MySQL database with Kea DHCP, some users see errors, probably due to use of an inappropriate character set. - [MySQL Cluster set up for Kea 1.0](https://kb.isc.org/docs/aa-01406.md): Here is one way to set up a MySQL Cluster for use as a Kea DHCP backend. - [Securing the MySQL Connection](https://kb.isc.org/docs/securing-the-mysql-connection.md): Modern SQL databases, such as MySQL, its variants, and PostgreSQL, can protect communication between clients, such as Kea, and servers using SSL/TLS. In MySQL, the TLS configuration is split between clients and servers, so to enable TLS, you need to update both the Kea and MySQL server configuration. - [Experimenting with PostgreSQL High Availability](https://kb.isc.org/docs/experimenting-with-postgresql-high-availability.md): We performed several tests to confirm that data provided by Kea to one database node was properly propagated and available to Kea from another node via PostgreSQL High Availability. - [Kea Database Connection Resilience](https://kb.isc.org/docs/kea-database-resilience.md): Dealing with database connectivity problems from the Kea DHCP server software, including parameters that can be adjusted to make Kea compensate for those problems, and some of the implications of doing so. - [Why Doesn’t My DNS Get Updated by Kea?](https://kb.isc.org/docs/why-doesnt-my-dns-get-updated-by-kea.md): Kea does DNS updates only if the client sends either the Host Name or Fully Qualified Domain Name (FQDN) option in the REQUEST. - [I set up a firewall, but the Kea server still receives packets. Why?](https://kb.isc.org/docs/i-set-up-a-firewall-but-the-kea-server-still-receives-packets-why.md): Incoming packets are received as raw Ethernet frames, thus bypassing the whole kernel IP stack, including any firewalling rules your kernel may provide. - [Kea fails to receive incoming traffic](https://kb.isc.org/docs/kea-dhcpv6-doesnt-get-incoming-traffic.md): Many operating systems include firewalls that discard incoming IPv6 traffic by default. - [Limiting DHCP DECLINE](https://kb.isc.org/docs/limiting-dhcp-decline.md): A DHCP server may unknowingly offer an IP address that is already in use to another client. To prevent this, any DHCP client should attempt to verify that a newly received IP address is available. This article describes how to avoid a DECLINE loop where a client repeatedly requests an address and then declines it. - [How to use the perfdhcp DHCP testing tool](https://kb.isc.org/docs/perfdhcp.md): perfdhcp is a tool to generate DHCP traffic, which can be used to benchmark DHCP servers. It has many options available; learn more about them here. - [Kea Performance Optimization](https://kb.isc.org/docs/kea-performance-optimization.md): Tips for optimizing Kea DHCP performance. - [Kea Performance Tests 1.7.6 and Multithreading](https://kb.isc.org/docs/kea-performance-tests-17-multithreading.md): This article provides measurements on Kea DHCP 1.7.6 performance metrics. - [Kea Performance Tests - 1.4.0 vs. 1.5.0](https://kb.isc.org/docs/kea-performance-tests-140-vs-150.md): This article provides measurements on Kea DHCP 1.4 and 1.5 performance metrics. - [Why is ISC skeptical of the value of Ping-Check?](https://kb.isc.org/docs/ping-check.md): Ping-check was a popular feature in ISC DHCP, but was not initially supported in Kea. Here's why, and why we eventually added it to Kea. - [Kea High Availability vs ISC DHCP Failover](https://kb.isc.org/docs/aa-01617.md): Both Kea DHCP and ISC DHCP offer reliable continuous-service options, but they are not the same. - [Logging in Kea for ISC DHCP Users](https://kb.isc.org/docs/isc-dhcp-logging-compared-to-kea.md): Configure Kea to produce logs similar to ISC DHCP - [CVE-2026-3608: Stack overflow in Kea daemons](https://kb.isc.org/docs/cve-2026-3608.md): Sending a maliciously crafted message to Kea daemons over any configured API socket or HA listener can cause a stack overflow error. - [CVE-2025-11232: Invalid characters cause assert](https://kb.isc.org/docs/cve-2025-11232.md): To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must NOT be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly. - [CVE-2025-40779: Kea crash upon interaction between specific client options and subnet selection](https://kb.isc.org/docs/cve-2025-40779.md): If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the kea-dhcp4 process will abort with an assertion failure. This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem. - [CVE-2025-32803: Insecure file permissions can result in confidential information leakage](https://kb.isc.org/docs/cve-2025-32803.md): In some cases, Kea log files or lease files may be world-readable. If an attacker has access to a local unprivileged user account, they would be able to read the logs and/or lease information. This might disclose details about DHCP clients (MAC addresses, hostnames, IP addresses, configuration details, and so on), or about Kea itself. - [CVE-2025-32802: Insecure handling of file paths allows multiple local attacks](https://kb.isc.org/docs/cve-2025-32802.md): Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. - [CVE-2025-32801: Loading a malicious hook library can lead to local privilege escalation](https://kb.isc.org/docs/cve-2025-32801.md): Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. - [CVE-2019-6474: An oversight when validating incoming client requests can lead to a situation where the Kea server will exit when trying to restart](https://kb.isc.org/docs/cve-2019-6474.md): CVE-2019-6474: An oversight when validating incoming client requests can lead to a situation where the Kea server will exit when trying to restart - [CVE-2019-6473: An invalid hostname option can cause the kea-dhcp4 server to terminate](https://kb.isc.org/docs/cve-2019-6473.md): CVE-2019-6473: An invalid hostname option can cause the kea-dhcp4 server to terminate - [CVE-2019-6472: A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate](https://kb.isc.org/docs/cve-2019-6472.md): CVE-2019-6472: A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate - [CVE-2018-5739: ISC Kea 1.4.0 failure to release memory may exhaust system resources](https://kb.isc.org/docs/aa-01626.md): CVE-2018-5739: ISC Kea 1.4.0 failure to release memory may exhaust system resources - [CVE-2015-8373 - ISC Kea: unexpected termination while handling a malformed packet](https://kb.isc.org/docs/aa-01318.md): CVE-2015-8373 - ISC Kea: unexpected termination while handling a malformed packet - [A Note About Kea Release Notes](https://kb.isc.org/docs/a-note-about-kea-release-notes.md): The Kea release notes can be found on our downloads site or in our documentation at Read the Docs. - [Stork Quickstart guide](https://kb.isc.org/docs/stork-quickstart-guide.md): This quickstart guide gives an overview of the installation process in steps, grouped by package manager or OS. Choose your OS/package manager to jump directly to the section that covers the installation on your system. - [Upgrading Stork](https://kb.isc.org/docs/upgrading-stork.md): Each Stork release includes both major pieces of the Stork architecture: Stork server and Stork agent. The order in which to deploy the components can be somewhat tricky; this article discusses several strategies. - [Importing external certificates to Stork](https://kb.isc.org/docs/importing-external-certificates-to-stork.md): Step-by-step guide for importing externally-generated certificates into the Stork server. - [Stork LDAP Authentication](https://kb.isc.org/docs/stork-ldap.md): The Stork server can use an external LDAP server for identification and authorization of users and groups. This is typically used to provide single-sign-on (SSO) via an organization's personnel directory. - [A Brief Introduction to LDAP](https://kb.isc.org/docs/ldap-intro.md): For those unfamiliar with LDAP, an introduction to some of the basic concepts is provided here. The intent is to give you enough to get started with simple LDAP integrations. - [Stork 2.4 and Kea socket permissions](https://kb.isc.org/docs/stork-kea-socket-perms.md): Stork 2.4 with Kea 3.0 may have issues due to default permissions of the Kea control sockets. Some workarounds are available and described here. - [CVE-2025-8696: DoS attack against the Stork UI from an unauthenticated user](https://kb.isc.org/docs/cve-2025-8696.md): If an unauthenticated user sends a large amount of data to the Stork UI, it may cause memory and disk use problems for the system running the Stork server. - [CVE-2024-28872: Incorrect TLS certificate validation can lead to escalated privileges](https://kb.isc.org/docs/cve-2024-28872.md): The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. - [Host reservations deleted when editing shared networks with Stork](https://kb.isc.org/docs/stork-hosts-lost-shared-nets.md): One of Stork's features is the ability to edit shared networks in Kea DHCP, and shared networks that contain subnets can support host reservations. However, due to a bug in Stork, if you edit a shared network in Stork that contains a subnet, any host reservations associated with that subnet will be deleted if those reservations are defined in the Kea configuration files. Host reservations stored in a database are not affected; neither are host reservations defined outside of shared networks. - [Migrating from ISC DHCP to Kea DHCP using the Migration Assistant](https://kb.isc.org/docs/migrating-from-isc-dhcp-to-kea-dhcp-using-the-migration-assistant.md): ISC's Kea Migration Assistant can help users migrate from ISC DHCP to Kea DHCP. Here's how. - [Accessing the ISC DHCP GitLab Repository](https://kb.isc.org/docs/aa-01029.md): The ISC DHCP source code is available through ISC's GitLab repo. - [A Basic Guide to Configuring DHCP Failover](https://kb.isc.org/docs/aa-00502.md): ISC DHCP allows you to configure failover easily, with these steps. - [Operational Notification for ISC DHCP 4.4.3](https://kb.isc.org/docs/operational-notification-for-isc-dhcp-443.md): The generation of the xid in ISC DHCP release 4.4.3 has been altered so that the randomness will be automatically seeded from a configurable source such as /dev/random (default). - [Securing Your Network From DHCP Risks](https://kb.isc.org/docs/aa-00573.md): DHCP was originally designed for simplicity, not security. These tips can help secure your network. - [ISC DHCP 4.4 Manual Pages - dhcpd](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpd.md): Man pages documentation for dhcpd - [ISC DHCP 4.4 Manual Pages - dhcpd.conf](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf.md): Man pages for ISC DHCP dhcpd.conf - [ISC DHCP 4.4 Manual Pages - dhcp-options](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcp-options.md): Man pages for ISC DHCP dhcp-options - [ISC DHCP 4.4 Manual Pages - dhcp-eval](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcp-eval.md): Manual pages for ISC DHCP 4.4 dhcp-eval - [ISC DHCP 4.4 Manual Pages - omapi](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-omapi.md): Manual pages for ISC DHCP 4.4 - omapi - [ISC DHCP 4.4 Manual Pages - omshell](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-omshell.md): Manual pages for ISC DHCP 4.4 omshell - [ISC DHCP 4.4 Manual Pages - dhcpd.leases](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdleases.md): Manual pages for ISC DHCP 4.4 dhcpd.leases - [ISC DHCP 4.4 Manual Pages - ctl](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-ctl.md): Manual pages for ISC DHCP 4.4 ctl - [ISC DHCP to Kea Migration Assistant](https://kb.isc.org/docs/kea-migration-assistant.md): Manual pages for the ISC DHCP to Kea Migration Assistant (keama) - [ISC DHCP 4.4 Manual Pages - dhcrelay](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcrelay.md): Manual pages for ISC DHCP 4.4 dhcrelay - [ISC DHCP 4.4 Manual Pages - dhclient](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhclient.md): Manual pages for ISC DHCP 4.4 dhclient - [ISC DHCP 4.4 Manual Pages - dhclient-script](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhclient-script.md): Manual pages for ISC DHCP dhclient-script - [ISC DHCP 4.4 Manual Pages - dhclient.conf](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhclientconf.md): Manual pages for ISC DHCP 4.4 dhclient.conf - [ISC DHCP 4.4 Manual Pages - dhclient.leases](https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhclientleases.md): Manual pages for ISC DHCP 4.4 dhclient.leases - [ISC DHCP 4.4.3 Manual Pages - dhclient-script](https://kb.isc.org/docs/isc-dhcp-443-manual-pages-dhclient-script.md): Manual page for dhclient-script - DHCP client network configuration script - [ISC DHCP 4.4.3 Manual Pages - dhclient.conf](https://kb.isc.org/docs/isc-dhcp-443-manual-pages-dhclientconf.md): Manual page for dhclient.conf - DHCP client configuration file - [ISC DHCP 4.4.3 Manual Pages - dhclient](https://kb.isc.org/docs/isc-dhcp-443-manual-pages-dhclient.md): Manual page for dhclient - Dynamic Host Configuration Protocol Client. - [ISC DHCP 4.1 Manual Pages - dhcpd](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcpd.md): Manual pages for ISC DHCP 4.1 - dhcpd - [ISC DHCP 4.1 Manual Pages - dhcpd.conf](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcpdconf.md): Manual pages for ISC DHCP 4.1 - dhcpd.conf - [ISC DHCP 4.1 Manual Pages - dhcp-options](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcp-options.md): Manual pages for ISC DHCP 4.1 - dhcp-options - [ISC DHCP 4.1 Manual Pages - dhcp-eval](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcp-eval.md): Manual pages for ISC DHCP 4.1 - dhcp-eval - [ISC DHCP 4.1 Manual Pages - omapi](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-omapi.md): Manual pages for ISC DHCP 4.1 - omapi - [ISC DHCP 4.1 Manual Pages - omshell](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-omshell.md): Manual pages for ISC DHCP 4.1 - omshell - [ISC DHCP 4.1 Manual Pages - dhcpd.leases](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcpdleases.md): Manual pages for ISC DHCP 4.1 - dhcpd.leases - [ISC DHCP 4.1 Manual Pages - ctl](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-ctl.md): Manual pages for ISC DHCP 4.1 - ctl - [ISC DHCP 4.1 Manual Pages - dhcrelay](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcrelay.md): Manual pages for ISC DHCP 4.1 - dhcrelay - [ISC DHCP 4.1 Manual Pages - dhclient](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhclient.md): Manual pages for ISC DHCP 4.1 - dhclient - [ISC DHCP 4.1 Manual Pages - dhclient-script](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhclient-script.md): Manual pages for ISC DHCP 4.1 - dhclient-script - [ISC DHCP 4.1 Manual Pages - dhclient.conf](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhclientconf.md): Manual pages for ISC DHCP 4.1 - dhclient.conf - [ISC DHCP 4.1 Manual Pages - dhclient.leases](https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhclientleases.md): Manual pages for ISC DHCP 4.1 - dhclient.leases - [How can I protect my DHCP server from a badly behaved spamming client?](https://kb.isc.org/docs/aa-00211.md): ISC DHCP does not include rate-limiting, but there are other ways around spam issues. Kea DHCP allows selective client drops. - [CVE-2022-2929 DHCP memory leak](https://kb.isc.org/docs/cve-2022-2929.md): The function "fqdn_universe_decode()" allocates buffer space for the contents of option 81 (fqdn) data received in a DHCP packet. The maximum length of a DNS "label" is 63 bytes. The function tests the length byte of each label contained in the "fqdn"; if it finds a label whose length byte value is larger than 63, it returns without dereferencing the buffer space. This will cause a memory leak. - [CVE-2022-2928 An option refcount overflow exists in dhcpd](https://kb.isc.org/docs/cve-2022-2928.md): When the function "option_code_hash_lookup()" is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The function "add_option()" is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort. - [CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient](https://kb.isc.org/docs/cve-2021-25217.md): CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient - [CVE-2018-5733: A malicious client can overflow a reference counter in ISC dhcpd](https://kb.isc.org/docs/aa-01567.md): CVE-2018-5733: A malicious client can overflow a reference counter in ISC dhcpd - [CVE-2018-5732: A specially constructed response from a malicious server can cause a buffer overflow in dhclient](https://kb.isc.org/docs/aa-01565.md): CVE-2018-5732: A specially constructed response from a malicious server can cause a buffer overflow in dhclient - [CVE-2017-3144: Failure to properly clean up closed OMAPI connections can exhaust available sockets](https://kb.isc.org/docs/aa-01541.md): CVE-2017-3144: Failure to properly clean up closed OMAPI connections can exhaust available sockets - [CVE-2016-2774: An attacker who is allowed to connect to DHCP inter-server communications and control channels can exhaust server resources](https://kb.isc.org/docs/aa-01354.md): CVE-2016-2774: An attacker who is allowed to connect to DHCP inter-server communications and control channels can exhaust server resources - [CVE-2015-8605: UDP payload length not properly checked](https://kb.isc.org/docs/aa-01334.md): CVE-2015-8605: UDP payload length not properly checked - [CVE-2013-2494: A Vulnerability in libdns Could Cause Excessive Memory Use in ISC DHCP 4.2](https://kb.isc.org/docs/aa-00880.md): CVE-2013-2494: A Vulnerability in libdns Could Cause Excessive Memory Use in ISC DHCP 4.2 - [CVE-2012-3955: Reducing the expiration time for an IPv6 lease may cause the server to crash](https://kb.isc.org/docs/aa-00779.md): CVE-2012-3955: Reducing the expiration time for an IPv6 lease may cause the server to crash - [CVE-2012-3954: Memory Leaks Found in ISC DHCP](https://kb.isc.org/docs/aa-00737.md): CVE-2012-3954: Memory Leaks Found in ISC DHCP - [CVE-2012-3570: An Error in the Handling of an Unexpected Client Identifiers can Cause Server Crash When Serving DHCPv6](https://kb.isc.org/docs/aa-00714.md): CVE-2012-3570: An Error in the Handling of an Unexpected Client Identifiers can Cause Server Crash When Serving DHCPv6 - [CVE-2012-3571: An Error in the Handling of Malformed Client Identifiers can Cause a Denial-of-Service Condition in Affected Servers](https://kb.isc.org/docs/aa-00712.md): CVE-2012-3571: An Error in the Handling of Malformed Client Identifiers can Cause a Denial-of-Service Condition in Affected Servers - [CVE-2011-4868: An Error in DDNS Processing of DHCPv6 Leases Can Cause a Crash in ISC dhcpd](https://kb.isc.org/docs/aa-00705.md): CVE-2011-4868: An Error in DDNS Processing of DHCPv6 Leases Can Cause a Crash in ISC dhcpd - [CVE-2011-4539: DHCP Regular Expressions Segfault](https://kb.isc.org/docs/aa-00569.md): CVE-2011-4539: DHCP Regular Expressions Segfault - [CVE-2011-0413: DHCP May Crash After Processing a DHCPv6 Decline Message](https://kb.isc.org/docs/aa-00456.md): CVE-2011-0413: DHCP May Crash After Processing a DHCPv6 Decline Message - [CVE-2011-0997: dhclient Does Not Strip or Escape Shell Meta-characters](https://kb.isc.org/docs/aa-00455.md): CVE-2011-0997: dhclient Does Not Strip or Escape Shell Meta-characters - [CVE-2011-2748: ISC DHCP Server Halt](https://kb.isc.org/docs/aa-00454.md): CVE-2011-2748: ISC DHCP Server Halt - [CVE-2010-3616: DHCP: Server Hangs with TCP to Failover Peer Port](https://kb.isc.org/docs/aa-00966.md): CVE-2010-3616: DHCP: Server Hangs with TCP to Failover Peer Port - [CVE-2010-2156: DHCP: Fencepost error on zero-length client identifier](https://kb.isc.org/docs/aa-00964.md): CVE-2010-2156: DHCP: Fencepost error on zero-length client identifier - [CVE-2010-3611: DHCP: Server Crash with Empty Link-Address Field](https://kb.isc.org/docs/aa-00965.md): CVE-2010-3611: DHCP: Server Crash with Empty Link-Address Field - [CVE-2009-1892: DHCP host record fenceposting error](https://kb.isc.org/docs/aa-00963.md): CVE-2009-1892: DHCP host record fenceposting error - [CVE-2009-0692: DHCP Stack Overflow in 'dhclient' script_write_params()](https://kb.isc.org/docs/aa-00962.md): CVE-2009-0692: DHCP Stack Overflow in 'dhclient' script_write_params() - [DHCP 4.4.0 has a serious defect. ISC recommends users postpone upgrades until DHCP 4.4.1 can be issued](https://kb.isc.org/docs/aa-01557.md): DHCP 4.4.0 has a serious defect. ISC recommends users postpone upgrades until DHCP 4.4.1 can be issued - [CVE-2004-0460: DHCP stack buffer overflow vulnerability in handling log lines containing ASCII characters only](https://kb.isc.org/docs/aa-00961.md): CVE-2004-0460: DHCP stack buffer overflow vulnerability in handling log lines containing ASCII characters only - [CVE-2004-0461: DHCPD contains C Includes that sometimes defines vsnprintf() as vsprintf()](https://kb.isc.org/docs/aa-00960.md): CVE-2004-0461: DHCPD contains C Includes that sometimes defines vsnprintf() as vsprintf() - [CVE-2012-3571 \[CN\]: 对恶意请求的处理失当会导致 DHCP 服务器面临拒绝服务攻击](https://kb.isc.org/docs/aa-00762.md): N/A - [CVE-2012-3570 \[CN\]: 处理异常客户端标识的错误将会导致 DHCPv6 服务器崩溃](https://kb.isc.org/docs/aa-00761.md): N/A - [CVE-2012-3954 \[CN\]: ISC DHCP 内存泄露漏洞](https://kb.isc.org/docs/aa-00760.md): N/A - [CVE-2012-3954 \[DE\]: Speicherleck in ISC DHCP gefunden](https://kb.isc.org/docs/aa-00738.md): N/A - [CVE-2012-3570 \[DE\]: Ein Fehler in der Behandlung eines unerwarteten Client IDs kann den DHCP Server zum Absturz bringen während er eine DHCPv6 Anforderung beantwortet.](https://kb.isc.org/docs/aa-00740.md): N/A - [CVE-2012-3571 \[DE\]: Ein Fehler in der Behandlung von falsch formatierten Client-IDs kann den betroffenen Server in einen unbenutzbaren Zustand versetzen](https://kb.isc.org/docs/aa-00739.md): N/A - [CVE-2012-3954 \[ES\]: Pérdidas de Memoria en ISC DHCP](https://kb.isc.org/docs/aa-00749.md): N/A - [CVE-2012-3571 \[ES\]: Un error en el manejo de identificadores de cliente inesperados puede causar la caída del servidor mientras se sirve DHCPv6](https://kb.isc.org/docs/aa-00747.md): N/A - [CVE-2012-3570 \[ES\]: Un error en el manejo de identificadores de cliente mal formados puede causar una condición de negación de servicio en servidores afectados.](https://kb.isc.org/docs/aa-00745.md): N/A - [CVE-2012-3570 \[JP\]: 予期しないクライアント識別子によってDHCPv6のサービス中にサーバがクラッシュする](https://kb.isc.org/docs/aa-00756.md): N/A - [CVE-2012-3571 \[JP\]: ISC DHCP 不正なクライアント識別子処理における不具合によってサーバにサービス妨害が引き起こされる](https://kb.isc.org/docs/aa-00755.md): N/A - [CVE-2012-3954 \[JP\]: ISC DHCPのメモリリーク](https://kb.isc.org/docs/aa-00754.md): N/A - [Large networks and memory allocation in ISC DHCP](https://kb.isc.org/docs/large-networks-and-memory-allocation-in-isc-dhcp.md): Runtime memory allocation in ISC DHCP differs between IPv4 and IPv6 servers. - [A Note About ISC DHCP Release Notes](https://kb.isc.org/docs/a-note-about-isc-dhcp-release-notes.md): ISC DHCP release notes are available on our FTP server or at https://downloads.isc.org/isc/dhcp. - [ISC DHCP End of Life Dates](https://kb.isc.org/docs/isc-dhcp-eol-dates.md): End-of-life dates for the different versions of ISC DHCP. - [Where to find ISC DHCP documentation?](https://kb.isc.org/docs/aa-00333.md): Documentation for the ISC DHCP software is available. - [DHCP failover peers at a distance - configuration, loading and bandwidth considerations](https://kb.isc.org/docs/aa-00369.md): Configuration, loading, and bandwidth considerations for running geographically separated DHCP failover peers. - [DHCP Failover and MCLT configuration implications](https://kb.isc.org/docs/aa-00268.md): A too-small MCLT time causes performance issues but a too-large time means a longer delay at failover. - [How DHCP uses raw sockets](https://kb.isc.org/docs/aa-00379.md): dhcpd opens raw sockets to receive DHCP packets and transmit unicasts, while a BSD/UDP socket is read from to free up buffers and transmit routed unicasts. - [bind update on xx.xx.xx.xx from rejected: incoming update is less critical than outgoing update](https://kb.isc.org/docs/aa-00362.md): This error means the local server is sending a binding update, and has received a binding update before receiving an ack on its own update. - [Why are the lease times short and random during communication-interrupted state?](https://kb.isc.org/docs/aa-00327.md): The DHCPv4 lease expiration time MUST NOT be greater by more than the MCLT beyond the later of the partner lifetime of that server's failover partner and the current time. - [Using RAMdisks and other similar volatile storage for the leases file](https://kb.isc.org/docs/aa-00275.md): If you are not in a failover situation, it is better to have a partially recovered lease database than to start with a completely empty database. - [Declaring the subnets in ISC DHCP](https://kb.isc.org/docs/aa-00274.md): It's necessary to declare the subnets in dhcpd.conf for any interfaces on which you want to use DHCP protocols. - [How can I work around IPv6 prefix length issues with ISC DHCP clients?](https://kb.isc.org/docs/aa-01141.md): The prefix length for IA_NA or IA_TA addresses was originally hard-coded at 64, but that may not always be appropriate. Here's how to modify the client script. - [DHCPv4 Server Performance](https://kb.isc.org/docs/aa-01283.md): Two areas in the DHCPv4 server can limit the server's performance. Here's some management advice. - [LDAP in ISC DHCP](https://kb.isc.org/docs/aa-01284.md): ISC DHCP includes some contributed code for storing and retrieving your DHCP configuration in LDAP. - [How does pool rebalance work between failover pairs?](https://kb.isc.org/docs/aa-00276.md): The pool is rebalanced at a time that the server estimates it may be imbalanced (the estimate is based on the expiration time of the oldest lease). - [DHCPv4 Over DHCPv6 (RFC7341) in ISC DHCP 4.3.4](https://kb.isc.org/docs/aa-01359.md): ISC DHCP includes experimental support for DHCPv4 Over DHCPv6 as described in RFC7341. - [Specifying Address Ranges in IPv6](https://kb.isc.org/docs/aa-01168.md): The instruction 'range6' provides two ways to define a block of addresses that the server can use for allocations. - [Recommendations for restarting a DHCP failover pair](https://kb.isc.org/docs/aa-01043.md): When you need to restart both servers, what is the recommended process? - [DHCP uses too much memory: reducing dhcp memory consumption by careful use of range6 statements](https://kb.isc.org/docs/aa-01464.md): The amount of memory consumed by ISC DHCP can be significantly reduced by strategic use of 'range6' statements. - [What causes dhcpd to log uid lease 203.0.113.51 for client xx:xx:xx:xx:xx:xx is duplicate ?](https://kb.isc.org/docs/aa-00687.md): These logged errors can safely be ignored. - [LDAP and updating to DHCP 4.3.3 or newer](https://kb.isc.org/docs/aa-01462.md): Most changes were seamless to users, but there was one change in particular that we later discovered can cause incompatibility issues when updating. - [What is DHCP Failover?](https://kb.isc.org/docs/aa-01356.md): DHCP failover is a mechanism whereby two DHCP servers are both configured to manage the same pool of addresses. - [Putting the working server in a failover pair into "partner down" state](https://kb.isc.org/docs/aa-00252.md): To put the working server in an ISC DHCP failover pair into "partner down" mode, you can either edit the leases file or use omshell/OMAPI. - [Securing dhcpd against unauthorized OMAPI control connections](https://kb.isc.org/docs/aa-01355.md): ISC DHCP has support for OMAPI, the Object Mapping Application Protocol Interface. Servers should be protected if OMAPI is enabled. - [Avoiding infinite loops (that can cause dhcpd to segfault or crash)](https://kb.isc.org/docs/aa-01271.md): Here are some examples of ways to create infinite loops, and some advice on avoiding them. - [Why does "dhclient -6" not work if I haven't already enabled IPv6 on the interface?](https://kb.isc.org/docs/aa-01212.md): DHCPv6 clients use their IPv6 link-local addresses to communicate with the server. If IPv6 is not enabled on the interface, communication is not possible. - [Formatting MAC addresses in dhcpd (or 'why does binary-to-ascii strip leading zeroes?')](https://kb.isc.org/docs/aa-01039.md): The binary-to-ascii function strips leading zeroes when printing numeric values. - [Migration Tips For Upgrading From DHCP 3 to DHCP 4](https://kb.isc.org/docs/aa-00611.md): All versions of ISC DHCP 3 are EOL. Here's how to migrate to a current version. - [DHCPv6 and link-local IPv6 interface addresses](https://kb.isc.org/docs/aa-00368.md): It's not possible to have dhcpd listen on an interface if it's not declared via subnet6. Kea does not have the limitations of ISC DHCP. - [How do you have dhcpd reload its configuration file?](https://kb.isc.org/docs/aa-00335.md): The dhcpd server doesn't have any reload mechanism. The server has to be stopped and restarted. - [Does the list of parameters in the dhcp-parameter-request-list need to be in hex?](https://kb.isc.org/docs/aa-00334.md): Yes. - [Building ISC DHCP on Solaris 11](https://kb.isc.org/docs/aa-01040.md): Starting with versions 4.1-ESV-R3 and 4.2.2, ISC DHCP integrated a patch from Oracle to use BSD/UDP sockets instead of DLPI (with raw sockets) on Solaris 11. - [Can I use failover over long-distance links?](https://kb.isc.org/docs/aa-01556.md): Yes, but performance may be adversely affected by high connection latency. - [Why is my server logging: "dhcpd: send_packet: Invalid argument"?](https://kb.isc.org/docs/aa-01443.md): This error indicates either a resource problem or a wrong error code from the operating system kernel. - [DHCPv6 "not our server identifier", discarding renews](https://kb.isc.org/docs/aa-01175.md): Most likely, this error means the server has lost its lease file. - [After sending a DHCPOFFER packet to a client, how long will dhcpd wait before discarding that offer?](https://kb.isc.org/docs/aa-00819.md): dhcpd holds the lease for two minutes after sending a DHCPOFFER. - [How do I resynchronize a failover pair?](https://kb.isc.org/docs/aa-00609.md): Here are the steps to manually trigger a resynchronization on a failover pair of DHCP servers. - [Why is my server logging: "dhcpd: icmp_echorequest 192.0.2.1: No buffer space available"?](https://kb.isc.org/docs/aa-01444.md): This log message means that the socket send buffer has overflowed. - [Sending a Server Shutdown Message via OMAPI](https://kb.isc.org/docs/aa-00475.md): OMAPI is the control channel specification for dhcpd. It can be used to modify the configuration of a server or to send control messages. - [Why does DHCP use raw sockets?](https://kb.isc.org/docs/aa-00378.md): The DHCP protocol has some specific requirements that can only be met via raw sockets. - [Synchronous Disk Writes and DHCP Performance Limitations](https://kb.isc.org/docs/aa-00373.md): DHCP performance can be limited by disk I/O. Here are some tips to help speed performance. - [Using Dual-Stack Mixed Mode (DSMM) with DDNS in ISC DHCP 4.4](https://kb.isc.org/docs/aa-01588.md): When clients obtain both an IPv4 and an IPv6 address, they want the same hostname for both the v4 and the v6 addresses. This is hard to coordinate. - [Newly Pre-defined Options in DHCP 4.3](https://kb.isc.org/docs/aa-01112.md): We added some definitions for options for DHCPv4 and DHPCv6 that were previously defined by the IETF. - [DHCPv6 support for relay options in ISC DHCP 4.3](https://kb.isc.org/docs/aa-01096.md): Unlike in DHCPv4, in DHCPv6 each relay agent along the packet path adds its own set of relay agent options. - [Adding support for "on commit", "on expire", and "on release" statements in DHCPv6](https://kb.isc.org/docs/aa-01094.md): These statements function in DHCPv6 pretty much the same as they do in DHCPv4. - [Support in ISC DHCP for DDNS (Dynamic DNS) without zone statements](https://kb.isc.org/docs/aa-01097.md): ISC DHCP 4.3 returned support for using DDNS without a zone statement. - [Caution is strongly recommended if using the "dont-use-fsync" option](https://kb.isc.org/docs/aa-01095.md): fsync() is a file-control primitive that instructs the operating system to synchronize pending writes to permanent storage. Not using it can cause issues. - [Adding class support for DHCPv6 in ISC DHCP 4.3](https://kb.isc.org/docs/aa-01093.md): DHCP 4.3 and 4.4 provide DHCPv6 server operators the ability to define client class and subclass membership using option attributes. - [OMAPI support for classes and subclasses](https://kb.isc.org/docs/aa-01092.md): ISC DHCP 4.3 enhanced OMAPI support for dynamically adding and deleting classes and subclasses without restarting the server. - [ISC DHCP support for Standard DDNS](https://kb.isc.org/docs/aa-01091.md): Over the years there have been three distinct styles for the DDNS code. The ddns-update-style option is used to select among them for a server. - [Matching User Class (option 77) from RFC 3004 compliant clients in ISC DHCP](https://kb.isc.org/docs/matching-user-class-option-77-from-rfc-3004-compliant-clients-in-isc-dhcp.md): ISC DHCP has a built-in definition for option 77 (User Class) of type text (character string).