BIND 9 Significant Features Matrix
  • 04 Mar 2024
  • 6 Minutes to read
  • Contributors
  • Dark
  • PDF

BIND 9 Significant Features Matrix

  • Dark
  • PDF

Article summary

This table lists the major feature differences among the current supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans, where features overlap with already-released branches). We also describe the deprecated and obsolete features and utilities in the smaller tables below.

Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.

These tables do not include changes in the build environment or platform support. Those requirements are included in the file at the top level of the BIND distribution.

BIND -S software

The "-S" (stable preview) editions are available to ISC customers with certain paid support contracts, and offer some features that are not included in the open source.


BIND's interface to the network was refactored during the 9.15 and 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this did not result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.


  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, rather than in the first public release of the branch.

Major Features Added or Changed

Feature 9.18
current stable
current stable
old stable
old stable
9.11 EOL 9.11-S EOL
DDOS mitigation: DNS COOKIE (previously called SIT) all all updated in 9.16.10 updated in 9.16.10-S updated in 9.11.26 aes or sha256 algorithm changed to siphash24, multiple cookie secrets added
DDOS mitigation: Multiple response rate limiters for different domains --- all --- all --- all
DDOS mitigation: Size & ratio controls for response rate limiters --- all --- all --- all
DNSSEC: Key and Signing Policy updated updated new new --- ---
DNSSEC validation auto auto default changed from yes to auto auto --- ---
DNSSEC: validate-except Permanent Negative trust anchors all all all all --- added (backported from 9.13.10)
DNS over HTTPS (DoH) (RFC 8484) all all --- --- --- ---
DNS over TLS (DoT) (RFC 7858) all all --- --- --- ---
Documentation: BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs all all all --- --- ---
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) all all 9.16.8 9.16.8 9.11.24 9.11.24
EDNS Client-Subnet (ECS) for resolver --- all --- all, updated 9.16.10-S --- all, updated 9.11.26-S
EDNS Client-Subnet (ECS) option support for authoritative servers --- --- removed removed experimental experimental
EDNS Padding (RFC 7830) all all all all --- all
Extended Errors (RFC 8914) #18 #18 --- --- --- ---
GeoIP support 2.0 api 2.0 api all 2.0 api all all
IXFR size limits all all new max-ixfr-ratio option all --- ---
Management: automatic DNSTAP file rolling all all all all --- added
Management: timestamp suffix option for rolled log files and DNSTAP files all all all all --- added
Maximum timeout increased all all all all all, longer max timeout all, longer max timeout
Mirror Zones (RFC 8806) all all added (9.13.2) all --- ---
BIND Modules: plug-in support for query processing now asynchronous now asynchronous added (9.13.2) all --- ---
Performance: EDNS TCP keepalive support (RFC 7828) all all all all --- all
Performance: glue cache The option has been deprecated. The feature will be enabled by default in the future The option has been deprecated. The feature will be enabled by default in the future added added --- ---
Performance: minimal responses (RFC 8482) all all added added --- ---
Performance: answer synthesis from cached NSEC ( modified, re-enabled by default modified, re-enabled by default present, disabled by default present, disabled by default --- ---
Performance: pipelined TCP queries (server side) (RFC 7766) all all --- all all all
QNAME minimization (RFC 9156) all all all all --- all
RPZ-passthru new logging channel all all --- --- --- ---
RPZ: refactored RPZ all all all all --- all, rate limits added
RPZ: nsdname-wait-recurse all all all all --- all
RPZ: Response Policy Service API all all new new --- ---
New RRs HTTPS, SCVB HTTPS, SCVB --- --- --- ---
Serve Stale see KB see KB all, updated 9.16.9, 9.16.13 all, updated 9.16.9-S, 9.16.13-S --- 9.11.4-S, updated 9.11.25-S, 9.11-30-S1
Umbrella PROTOSS EDNS option --- all --- all --- new
Zone transfer over TLS, aka XoT (RFC 9103) new new --- --- --- ---

Features Removed (or Planned for Removal)

In the following table, "deprecated" means that the option is still usable, but its use is discouraged because it will be obsoleted in a future version. Typically, use of deprecated features generates a warning. Removing features reduces complexity which is a major factor in stabilizing the software. Most of the features that are deprecated are little-used, and some are actually considered harmful in modern deployments, even if they once seemed like a good idea.

"Obsolete"/Removed" options are no longer in use: they are either ignored or named.conf will not load with them. We have a policy for removing options by a phased process: the phases are (1) community comment, (2) deprecation, (3) obsolescence. However, some of these changes occurred before that policy was established; those are the options that are marked as "removed."

Feature 9.24 9.22 9.20 9.18 current stable 9.16 old stable 9.15 EOL 9.14 EOL 9.12 EOL
acache cleaning-interval, acache enable, additional from auth, additional from cache --- --- --- --- additional data now recorded in main cache
cleaning-interval --- --- --- --- removed obsolete obsolete obsolete
Crypto: Native PKCS#11 --- --- --- removed in 9.18, replaced with OpenSC PKCS#11 deprecated
dig+sigchase --- --- --- --- --- --- --- removed
DLV (DNSSEC Look-Aside Validator) --- --- --- --- removed deprecated
DLV trust anchor --- --- --- --- --- --- --- removed
DLZ drivers (DLZ modules unaffected) --- --- --- deprecated in 9.17.19, to be removed in 9.18
DNSSEC algorithms 1, 3, 6, and 12 (RSAMD5, DSA, DSA-NSEC-SHA1, and ECC-GOST) --- --- --- --- --- --- removed
DNSSEC-enable --- --- --- obsolete obsolete 9.15.1; DNSSEC enabled by default
DNSSEC-must-be-secure --- fatal error, obsolete deprecation warning insecure answers will be accepted with NTA insecure answers will be accepted with NTA insecure answers will be accepted with NTA insecure answers will be accepted with NTA insecure answers will be accepted with NTA
DNSSEC managed-keys 9.15.1; replaced with trust-anchors plus initial-key
DNSSEC trusted-keys 9.15.1; replaced with trust-anchors plus static-key
DSCP --- --- obsolete deprecated/non-operational deprecated/non-operational
EDNS Client-Subnet (ECS) authoritative --- --- --- --- --- --- removed
lwresd --- --- --- --- --- --- --- removed
"map" zone file format --- --- --- removed deprecated
delegation-only and root-delegation-only --- --- obsolete deprecated
Source ports: explicit definition of source ports for outgoing connections: specifying port in following statements query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, parental-source-v6; or in the following statements as whole: use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, avoid-v6-udp-ports --- obsolete deprecated discouraged as it implicitly disables source port randomization
TKEY mode 2, switch to TKEY Mode 3 (GSS-API) --- --- removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH deprecated, tkey-dhkey will warn
UNIX Domain sockets --- --- fatal error in named and named-checkconf fatal error in named
Windows 32-bit support --- --- --- removed deprecated
Zone type delegation-only, and the delegation-only and root-delegation-only statements --- --- obsolete deprecated (9.18.4)


Utility 9.18 9.16 9.16-S 9.11 9.11-S
dig +unexpected removed, +qid= and +dns64prefix added; dig is now able to send DOH and DOT queries; dig output now includes the transport protocol used all all all all
dnssec-cds all all all --- ---