Compiing BIND9

Jim Reid jim at rfc1035.com
Sat Aug 7 00:52:18 UTC 2004 

>>>>> "June" == June  <nfbz2003 at yahoo.com> writes:

    June> What's the 64-bit file support for?

Er, 64-bit files? :-) BIND9 uses 64-bit pointers internally so it can
accommodate data structures that are bigger than 4GB and therefore
can't be addressed by 32-bit pointers.

    June> The default for IPv6 is autodetect, what's the difference of
    June> this from enabling IPv6 support?

This depends on what you mean by "enabling IPv6 support". IIRC the
only compile-time IPv6 feature in BIND9 is whether to use the KAME
IPv6 stuff if that had been installed. At compile-time, configure
works out whether your OS supports IPv6 or not and does the Right
Thing. So if IPv6 is available when you compile BIND9, BIND9 will know
how to use it. However BIND9 only use IPv6 for receiving and making
queries if you tell it to do that through the IPv6-related options in
its configuration file, named.conf. Assuming of course BIND9 was
compiled and run on a box that has an OS which provided IPv6 support.

    June> What's the package of Openssl? Is it big?  Should I install
    June> it if I may use DNSSEC, but not really sure?

OpenSSL is a tool and library with zillions of very useful crypto
stuff: secure hash algorithms, code for handling X.509 certificates,
encryption algorithms like DES, RSA, etc. Everyone should have this.
It's not big. Unless you're running it on a digital watch or something
like that. BIND9 uses the OpenSSL code for the crypto support it needs
for DNSSEC: hash and crypto algorithms. The BIND9 documentation tells
you that OpenSSL isn't needed unless you want BIND9 to support DNSSEC.

    June> Do IPv6 and DNSSEC supports need a lot space and/or CPU
    June> power?  Does it make sense I compile it in case I need them.
    June> I think this way may need space (mem too?) but not CPU
    June> power, right?

Just run configure and then compile. The default build will work just
fine unless you're running on a tiny machine (ie 1 MIP CPU and 1 MB of
RAM). Or you're putting huge (numbers of) zones on the server. It's
unlikely you'd be asking the sorts of questions above if you were
running a Big DNS installation. If you've bought a new computer in the
last 10 years or so and put some flavour of modern UNIX on it, it will
have enough hardware and software resources to compile and run BIND.

Don't bother about DNSSEC support. It's disabled by default. If you
enable this, it means you're supposed to know what you're letting
yourself in for. Setting up DNSSEC is very hard. Judging by your
questions, this is not for you. At least not now.... [Consult the list
archives to get an idea of the world of pain DNSSEC opens up.] When
DNSSEC is is use, a lot of CPU cycles can be burned on verifying the
crypto signatures on DNS data. Not that you'd be likely to get many
signed DNS responses. But that's a story for another time.

There's no IPv6 code to rip out at compile-time, so there are no bytes
or CPU cycles to be saved there. Not that you're likely to need to
save these anyway. In doc/misc, you'll find info on some of the
problems of using BIND9 over IPv6 transport on some implementations.
Read that carefully before telling the name server to use IPv6. You
should only need to care about this if you are already using IPv6.

More information about the bind-users mailing list