BIND 9 Significant Features Matrix
  • 23 Jul 2024
  • 7 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

BIND 9 Significant Features Matrix

  • Dark
    Light
  • PDF

Article summary

This table lists the major feature differences among the current supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans, where features overlap with already-released branches). We also describe the deprecated and obsolete features and utilities in the smaller tables below.

Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.

These tables do not include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.

BIND -S software

The "-S" (stable preview) editions are available to ISC customers with certain paid support contracts, and offer some features that are not included in the open source.

Refactoring

BIND's interface to the network was refactored during the 9.15 and 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this did not result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.

Notes:

  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, rather than in the first public release of the branch.

Major Features Added or Changed

Feature 9.20
new stable
9.18
current stable
9.18-S
current stable
9.16 EoL 9.16-S EoL
BIND Modules: plug-in support for query processing now asynchronous now asynchronous added (9.13.2) all
cdnskey option in dnssec-policy, to permit or deny publication of CDNSKEY RRs. new --- --- --- ---
cds-digest-types option in dnssec-policy, to allow configuration of digest types for CDS RRs. new --- --- --- ---
check-svcb option, for additional SVCB RR checking. new --- --- --- ---
DNS COOKIE (previously called SIT) all all updated in 9.16.10 updated in 9.16.10-S
delve +ns more accurately mimics BIND behaviour. new --- --- --- ---
DNS over HTTPS (DoH) (RFC 8484) all all --- ---
DNS over TLS (DoT) (RFC 7858) all all --- ---
DNSSEC validation auto auto default changed from yes to auto auto
DNSSEC: Key and Signing Policy updated updated new new
dnssec-keygen -k and dnssec-keygen -k can be used together. new --- --- --- ---
dnssec-ksr utility for creation of Key Signing Request (KSR) and Signed Key Response (SKR) files. new --- --- --- ---
DNSSEC multi-signer model 2 RFC8901 support in inline-signing new --- --- --- ---
dnssec-signzone -G can be used to control publiction of specific CDS and CDNSKEY RRs new --- --- --- ---
dnssec-verify -J and dnssec-signzone -J for reading journal files. new --- --- --- ---
dnstap-read prints long timestamps with millisecond precision. It can also understand Dot and DoH entries. new --- --- --- ---
dnstap emits distinct entries for DoT and DoH queries. new --- --- --- ---
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) all all 9.16.8 9.16.8
EDNS Client-Subnet (ECS) for resolver --- all --- all, updated 9.16.10-S
EDNS Client-Subnet (ECS) option support for authoritative servers --- --- removed removed
EDNS EXPIRE option now includes AXFR and IXFR new --- --- --- ---
Extended Errors (RFC 8914) #4, #15, #16, #17 #3, #18, #19 #18 --- ---
ede option for response-policy, to support Extended DNS Errors. new
Forwarding using TLS to DoT-enabled servers, including forwarding of dynamic updates. new
Information about ongoing zone transfers in the statistics-channel, including a "first refresh" flag. new
IXFR size limits all all new max-ixfr-ratio option all
key-store option in dnssec-policy for HSM support new
answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/) modified, re-enabled by default modified, re-enabled by default present, disabled by default present, disabled by default
recursive high-water statistcs-channel counter, to show the maximum number of recursive clients handled so far during this run new --- --- --- ---
require-cookie option, for fallback to TCP if a remote server does not provide DNS cookies over UDP. new --- --- --- ---
resolver-use-dns64 option, to allow resolvers to use DNS64 addresses directly, e.g. through a NAT64 gateway. new --- --- --- ---
New RRs HTTPS, SCVB HTTPS, SCVB --- ---
rndc -t to specify command timeout. new --- --- --- ---
rndc fetchlimit reports servers currently rate-limited new --- --- --- ---
rndc status shows the number of zones in their first refresh cycle, either pending or active. new --- --- --- ---
source and source-v6 options can be used to replace *-source and *-source-v6 options. new --- --- --- ---
Performance: minimal responses (RFC 8482) all all added added
Performance: pipelined TCP queries (server side) (RFC 7766) all all --- all
PROXYv2 support, in both BIND and DiG new --- --- --- ---
RPZ-passthru new logging channel all all --- ---
RPZ: Response Policy Service API all all new new
Support for libsystemd's sd_notify() function, allowing systemd to know the status of named. new --- --- --- ---
Serve Stale see KB see KB all, updated 9.16.9, 9.16.13 all, updated 9.16.9-S, 9.16.13-S
TLSv1.3 cipher suites added. new --- --- --- ---
Umbrella PROTOSS EDNS option --- --- all --- all
User Statically Defined Tracing (USDT) probes. new --- --- --- ---
Zone transfer over TLS, aka XoT (RFC 9103) new new --- ---

Features Removed (or Planned for Removal)

In the following table, "deprecated" means that the option is still usable, but its use is discouraged because it will be obsoleted in a future version. Typically, use of deprecated features generates a warning. Removing features reduces complexity which is a major factor in stabilizing the software. Most of the features that are deprecated are little-used, and some are actually considered harmful in modern deployments, even if they once seemed like a good idea.

"Obsolete"/Removed" options are no longer in use: they are either ignored or named.conf will not load with them. We have a policy for removing options by a phased process: the phases are (1) community comment, (2) deprecation, (3) obsolescence. However, some of these changes occurred before that policy was established; those are the options that are marked as "removed."

Feature 9.24 9.22 9.20 new stable 9.18 current stable 9.16 EoL
acache cleaning-interval, acache enable, additional from auth, additional from cache --- --- --- --- additional data now recorded in main cache
alt-transfer-source, alt-transfer-source-v6 and use-alt-transfer-source --- --- obsolete
auto-dnssec --- --- removed
cleaning-interval --- --- --- --- removed
Compiling with jemalloc versions older than 4.0.0 ------ removed
Configuration of UNIX domain sockets for the control channel --- --- obsolete
Configure option --enable-fixed-rrset deprecated
Configure option --with-tuning --- --- obsolete
coresize, datasize, files and stacksize options --- --- obsolete
delegation-only and root-delegation-only --- --- obsolete deprecated
DLZ drivers (DLZ modules unaffected) --- --- --- deprecated in 9.17.19, to be removed in 9.18
DNS COOKIE algorithm AES --- --- obsolete
DNSSEC algorithms 1, 3, 6, and 12 (RSAMD5, DSA, DSA-NSEC-SHA1, and ECC-GOST) --- --- --- --- ---
dnskey-sig-validity --- --- removed
dnssec-dnskey-kskonly --- --- removed
dnssec-enable --- --- --- obsolete obsolete
dnssec-must-be-secure --- fatal error, obsolete deprecation warning insecure answers will be accepted with NTA insecure answers will be accepted with NTA
dnssec-secure-to-insecure --- --- obsolete
dnssec-update-mode --- --- removed
DSCP --- --- obsolete deprecated/non-operational deprecated/non-operational
glue-cache option --- --- obsolete (glue cache is now permanently enabled)
keep-response-order --- --- obsolete
libbind9 shared library --- --- obsolete
libirs library --- --- obsolete --- ---
lock-file --- --- obsolete
map zone file format --- --- --- removed deprecated
max-zone-ttl deprecated
named -U --- --- obsolete
named -X --- --- obsolete
nsupdate -o deprecated
oldgsstsig deprecated
Native PKCS#11 --- --- --- removed in 9.18, replaced with OpenSC PKCS#11 deprecated
resolver-nonbackoff-tries and resolver-retry-interval --- --- obsolete
rrset-order fixed deprecated
sig-validity-interval --- --- removed
sortlist deprecated
Source ports: explicit definition of source ports for outgoing connections: specifying port in following statements query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, parental-source-v6; or in the following statements as whole: use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, avoid-v6-udp-ports --- obsolete deprecated discouraged as it implicitly disables source port randomization
stale-answer-client-timeout values >0 --- --- obsolete
TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) --- --- obsolete and will cause a fatal error
TKEY mode 2, switch to TKEY Mode 3 (GSS-API) --- --- removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH deprecated, tkey-dhkey will warn
Triggering of key rollovers and denial-of-existence operations due to dynamic updates that add and remove DNSKEY and NSEC3PARAM records. --- --- obsolete
update-check-ksk --- --- removed
UNIX Domain sockets --- --- fatal error in named and named-checkconf fatal error in named
Windows 32-bit support --- --- --- obsolete deprecated
Zone type delegation-only, and the delegation-only and root-delegation-only statements --- --- obsolete deprecated (9.18.4)

Utilities

Utility 9.18 9.16 9.16-S 9.11 9.11-S
dig +unexpected removed, +qid= and +dns64prefix added; dig is now able to send DOH and DOT queries; dig output now includes the transport protocol used all all all all
dnssec-cds all all all --- ---