BIND 9 Significant Features Matrix
  • Updated on 08 Jul 2020
  • 2 minutes to read
  • Contributors
  • Print
  • Share
  • Dark

BIND 9 Significant Features Matrix

  • Print
  • Share
  • Dark

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Features Added

Compression on source tarballsgz (tar.gz)gz (tar.gz)gz (tar.gz)gz (tar.gz)xz (tar.xz) 9.15.7xz (tar.xz)
Crypto:Native PKCS#11allallallallallall
DDOS Mitigation: DNS COOKIE (previously called SIT)allall
(multiple cookie secret added)
(multiple cookie secret)
all, (multiple cookie secret)all, (multiple cookie secret)all, (multiple cookie secret)
DDOS Mitigation: Faster RPZ and new triggersallall
DDOS Mitigation: Multiple response rate limiters for different domains

DDOS Mitigation: Size & ratio controls for response rate limiters

DDOS Mitigation: Serve Stale 9.11.4-Sallallallall
DNSSEC: Key and Signing Policy

DNSSEC: "validate-except" Permanent Negative trust anchorsallallall
EDNS Client-Subnet (ECS) for resolver

EDNS Client-Subnet (ECS) option support for authoritative serversexpexpexpexpremovedremoved
EDNS Padding (RFC 7830) allallallallall
GeoIP supportallallallallall2.0 api
Management: automatic DNSTAP file rolling allallallallall
Management: timestamp suffix option for rolled log files and DNSTAP files allallallallall
Mirror Zonesall (9.13.2)allall
Module - plug-in support for query processingall (9.13.2)allall
Performance: EDNS TCP keepalive support (RFC 7828) allallallallall
Performance: glue cache  allallallall
Performance: minimal responses  allallallall
Performance: answer synthesis from cached NSEC  all/enabledall/enableddisabled by defaultall, disabled
Performance: Pipelined TCP queries (server side)allall
maximum timeout increased
maximum timeout increased
all, longer max timeoutall, longer max timeoutall, longer max timeout
QNAME Minimization

RPZ: refactored RPZ allallallallall
RPZ: Response Policy Service API  allallallall
Umbrella PROTOSS EDNS option all


Features Removed (or planned for removal)

In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."

cleaning-intervalremoved ----- -----
dig+sigchaseremoved----- ----- ----- -----
dlv trust anchorremoved----- ----- ----- -----
DLV (DNSSEC Look-Aside Validator)    deprecatedremoved -----
DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) removed----- ----- -----
DNSSEC enable   9.15.1
on by default
DNSSEC managed-keys   9.15.1
replaced with dnssec-keys plus initial-key
DNSSEC trusted-keys   9.15.1
replaced with dnssec-keys plus static-key
EDNS Client-Subnet (ECS) authoritative removed----- ----- -----
lwresdremoved----- ----- ----- -----
Windows 32-bit support----- ----- ----- deprecatedremoval planned

Utilities Added

Utility9.119.11 S9.
dnssec-cds  allallallall


  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.
Was this article helpful?