readme1st.txt   [plain text]

Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2001, 2003  Internet Software Consortium.
See COPYRIGHT in the source root or for terms.

$Id: readme1st.txt,v 1.18.372.2 2008/12/14 21:33:07 tbox Exp $

	   Release of BIND 9.5 for Window 2000/XP/2003

This is a release of BIND 9.5 for Window 2000/XP/2003.
Only IPv4 stacks are supported on the box running this version of BIND.
IPv6 stacks will be supported in a future release.
	Important Kit Installation Information

As of release 9.3.0, BINDInstall requires that you install
it under an account with restricted privileges. The installer
will prompt you for an account name, the default is "named", and
a password for that account. It will also check for the existence
of that account. If it does not exist is will create it with only
the privileges required to run BIND. If the account does exist it
will check that it has only the one privilege required:
"Log on as a service". If it has too many privileges it will prompt
you if you want to continue. 

With BIND running under an account name it is necessary for all
files and directories that BIND uses to have permissions set up
for the named account if the files are on an NTFS disk. BIND requires
that the account have read and write access to the directory for
the pid file, any files that are maintained either for slave zones
or for master zones supporting dynamic updates. The account will
also need read access to the named.conf and any other file that
it needs to read.

It is important that on Windows the directory directive is used in
the options section to tell BIND where to find the files used in
named.conf (default %WINDOWS%\system32\dns\etc\named.conf).

	options {
		directory "C:\WINDOWS\system32\dns\etc";

If you have previously installed BIND 8 or BIND 4 on the system that
you wish to install this kit, you MUST use the BIND 8 or BIND 4 installer
to uninstall the previous kit.  For BIND 8.2.x, you can use the
BINDInstall that comes with the BIND 8 kit to uninstall it. The BIND 9
installer will NOT uninstall the BIND 8 binaries.  That will be fixed
in a future release.

Unpack the kit into any convenient directory and run the BINDInstall
program.  This will install the named and associated programs into
the correct directories and set up the required registry keys.

Messages are logged to the Application log in the EventViewer.

	Controlling BIND

Windows NT/2000 uses the same rndc program as is used on Unix
systems.  The rndc.conf file must be configured for your system in
order to work. You will need to generate a key for this. To do this
use the rndc-confgen program. The program will be installed in the
same directory as named: dns/bin/.  From the DOS prompt, use the
command this way:

rndc-confgen -a

which will create a rndc.key file in the dns/etc directory. This will
allow you to run rndc without an explicit rndc.conf file or key and
control entry in named.conf file. See section of the ARM for
details of this. An rndc.conf can also be generated by running:

rndc-confgen > rndc.conf

which will create the rndc.conf file in the current directory, but not
copy it to the dns/etc directory where it needs to reside. If you create
rndc.conf this way you will need to copy the same key statement into

The additions look like the following:

key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };

controls {
	inet port 953 allow { localhost; } keys { "rndc-key"; };

Note that the value of the secret must come from the key generated
above for rndc and must be the same key value for both. Details of
this may be found in section of the ARM. If you have rndc
on a Unix box you can use it to control BIND on the NT/W2K box as
well as using the Windows version of rndc to control a BIND 9
daemon on a Unix box. However you must have key statements valid for
the servers you wish to control, specifically the IP address and key
in both named.conf and rndc.conf. Again see section of the
ARM for details.

In order to you rndc from a different system it is important to
ensure that the clocks are synchronized. The clocks must be kept
within 5 minutes of each other or the rndc commands will fail
authentication. Use NTP or other time synchronization software
to keep your clocks accurate. NTP can be found at

In addition BIND is installed as a win32 system service, can be
started and stopped in the same way as any other service and
automatically starts whenever the system is booted. Signals are
not supported and are in fact ignored.

Note: Unlike most Windows applications, named does not, change its
working directory when started as a service.  If you wish to use
relative files in named.conf you will need to specify a working
directory using the directory directive options.


This kit includes Documentation in HTML format.  The documentation is not
copied during the installation process so you should move it to any convenient
location for later reference. Of particular importance is the BIND 9
Administrator's Reference Manual (Bv9ARM*.html) which provides detailed
information on BIND 9. In addition, there are HTML pages for each of the
BIND 9 applications.

	DNS Tools

The following tools have been built for Windows NT: dig, nslookup,
host, nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone,
dnssec-keygen, dnssec-signzone, dnssec-dsfromkey and dnssec-keyfromlabel.
The tools will NOT run on Win9x, only WinNT and Win2000. The latter
tools are for use with DNSSEC.  All tools are installed in the
dns/bin directory.


It is no longer necessary to create a resolv.conf file on Windows as
the tools will look in the registry for the required nameserver
information. However if you wish to create a resolv.conf file as
follows it will use it in preference to the registry nameserver

To create a resolv.conf you need to place it in the System32\Drivers\etc
directory and it needs to contain a list of nameserver addresses to
use to find the nameserver authoritative for the zone. The format of
this file is:


Replace the IP addresses with your real addresses. is a valid
address if you are running a nameserver on the localhost. 


Please report all problems to and not to me. All
other questions should go to the mailing list or the
comp.protocol.dns.bind news group.

	Danny Mayer