Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND9 Significant Features Matrix
Author: Cathy Almond Reference Number: AA-01310 Views: 20535 Created: 2015-10-20 13:07 Last Updated: 2018-04-13 22:59 100 Rating/ 3 Voters

The "S" (stable preview) editions and the other release branches of BIND differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND, (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Feature9.99.9 S (stable preview)
9.109.10 S 9.11 9.11 S9.12 
Removed support for      dig + sigchase
dlv trust anchor

Automatic interface scanning

all allall all all
Case-sensitive name compression9. allall all all
Crypto: Native PKCS#11

allall all all all
DDOS Mitigation: DNS COOKIE (previously called SIT)

all (with --enable-sit);
code point updated to COOKIE in 9.10.3
 allall all all
(multiple cookie secret added)
DDOS Mitigation: Faster RPZ and new triggers
allall allall all (refactored RPZ) all (refactored RPZ)
DDOS Mitigation: Fetch limits (DDoS mitigation for recursiveservers)9.9.8
(with --enable-fetchlimit)
(revised 9.9.8-S1)
9.10.3 (with --enable-fetchlimit) allall all all
DDOS Mitigation: Minimal response to 'any' queries

 all all all
DDOS Mitigation: Multiple response rate limiters for different domains
DDOS Mitigation: Response rate limiting (RRL)9.9.4
(with --enable-rrl)
allall allall all all
DDOS Mitigation: SERVFAIL caching
 allall all all
DDOS Mitigation: Size & ratio controls for response rate limiters
DDOS Mitigation: Serve Stale       all
DNSSEC: Automatic creation of CDS, CDSKEY records

 all all all
DNSSEC: Negative trust anchors
 allall all all

EDNS Client-Subnet (ECS) for resolver

EDNS Client-Subnet (ECS) option support for authoritative servers

 expexp exp exp
EDNS EXPIRE option (server side)   all (with experimental code point);
EXPIRE code point finalized in 9.10.1
 all all all all
EDNS EXPIRE option (client side)     all all all
EDNSImproved EDNS fallback processing

all allall all all
EDNS Padding (RFC 7830)    9.10.5-S1  all all
GeoIP support
allall allall all all
Management: Detailed statistics counters
allall allall all all
Management: DNSTAP query/response logging
 allall all all
Management: automatic DNSTAP file rolling  9.9.9-S1  all  all all
Management: timestamp suffix option for rolled log files
and DNSTAP files
    all  all all
Management: JSON statistics
allall allall allall 
Management: New XML statistics schema9.9.3all (with --enable-newstats)all allallall all
Management: Squelch duplicate named servers

 all all all
Management: Traffic size statistics (per RSSAC02)

all all all
nxdomain-redirect option
 allall all all
Performance: EDNS TCP keepalive support (RFC 7828)    all


Performance: Fast "map" format zone files

all allall all all
Performance: glue cache       all
Performance: Large server tuning
allall allall all all
Performance: minimal responses       all
Performance: mutex locking fixes (resolver)     all all all all
Performance: answer synthesis from cached NSEC       all
Performance: Pipelined TCP queries (server side)

9.10.6-S2 maximum timeout increased
all all
maximum timeout increased
maximum timeout increased
Performance: TCP connection sharing for update forwarding    all all all
Performance: Separate rate limiting for startup NOTIFY messages
 allall allall 
Provisioning: Catalog zones

 all all all
Provisioning: Dynamic DB (DynDB) support

 all all all
Provisioning: in-view zone option

all allall all all
Resolver: Cache prefetch

all allall all all
Resolver: Prefer IPv6 when querying authoritative servers
 allall all all
RNDC: "showzone", "modzone", faster "delzone"
 allall all all
RNDC: Python module

 all all all
RNDC: read-only option
 allall all all
RNDC: zone status reporting

all allall all all
RPZ: refactored RPZ      all all
RPZ: Response Policy Service API       all

New utilities that have been introduced in each branch

Utility9.99.9 S (stable preview)
9.109.10 S 9.119.11 S9.12 
 delv  all allall all all
 dnssec-cds       all
 dnssec-checkds9.9.2allall allall all all
 dnssec-coverage9.9.3allall allall all all
 dnssec-importkey9. allall
 dnssec-keymgr     all all all
 dnssec-verify9.9.2allall allall all all
 dnstap-read     all all all
 mdig     all all all
 named-rrchecker   all all all all all
 tsig-keygen  all allall all all


  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch
  • version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token).  It can be enabled with --enable-sit in all unix/linux builds and is on by default in Windows.  In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu