BIND 9 Significant Features Matrix
- Updated on 28 Jun 2019
- 5 minutes to read
-
Contributors
-
Print
-
DarkLight
The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).
Features Added
| Feature | 9.10-S | 9.11 | 9.11-S | 9.12 | 9.14 |
|---|---|---|---|---|---|
| Automatic interface scanning | all | all | all | all | all |
| Crypto: Native PKCS#11 | all | all | all | all | all |
| DDOS Mitigation: DNS COOKIE (previously called SIT) | all | all | all (multiple cookie secret added) | all (multiple cookie secret added) | all |
| DDOS Mitigation: Faster RPZ and new triggers | all | all | all (refactored RPZ) | all (refactored RPZ) | all |
| DDOS Mitigation: Minimal response to 'any' queries | all | all | all | all | |
| DDOS Mitigation: Multiple response rate limiters for different domains | all | all | all | ||
| DDOS Mitigation: SERVFAIL caching | all | all | all | all | all |
| DDOS Mitigation: Size & ratio controls for response rate limiters | all | all | |||
| DDOS Mitigation: Serve Stale | 9.11.4-S | all | all | ||
| DNSSEC: Automatic creation of CDS, CDSKEY records | all | all | all | all | |
| DNSSEC: Negative trust anchors | all | all | all | all | all |
| DNSSEC: "validate-except" Permanent Negative trust anchors | all | ||||
| EDNS Client-Subnet (ECS) for resolver | all | all | |||
| EDNS Client-Subnet (ECS) option support for authoritative servers | exp | exp | exp | exp | removed |
| EDNS EXPIRE option (server side) | all | all | all | all | all |
| EDNS EXPIRE option (client side) | all | all | all | all | |
| EDNS: Improved EDNS fallback processing | all | all | all | all | all |
| EDNS Padding (RFC 7830) | 9.10.5-S1 | all | all | all | |
| GeoIP support | all | all | all | all | all |
| Management: DNSTAP query/response logging | all | all | all | all | all |
| Management: automatic DNSTAP file rolling | all | all | all | all | |
| Management: timestamp suffix option for rolled log files and DNSTAP files | all | all | all | all | |
| Management: Prevent duplicate named server instances | all | all | all | all | |
| Management: Traffic size statistics (per RSSAC02) | all | all | all | all | |
| Mirror Zones | all (9.13.2) | ||||
| Module - plug-in support for query processing | all (9.13.2) | ||||
| nxdomain-redirect option | all | all | all | all | all |
| Performance: EDNS TCP keepalive support (RFC 7828) | all | all | all | all | |
| Performance: Fast "map" format zone files | all | all | all | all | |
| Performance: glue cache | all | all | |||
| Performance: minimal responses | all | all | |||
| Performance: mutex locking fixes (resolver) | all | all | all | all | all |
| Performance: answer synthesis from cached NSEC | all | all | |||
| Performance: Pipelined TCP queries (server side) | all 9.10.6-S2 maximum timeout increased | all | all maximum timeout increased | all maximum timeout increased | all |
| Performance: TCP connection sharing for update forwarding | all | all | all | all | |
| Performance: Separate rate limiting for startup NOTIFY messages | all | all | all | all | all |
| Provisioning: Catalog zones | all | all | all | all | |
| Provisioning: Dynamic DB (DynDB) support | all | all | all | all | |
| Provisioning: in-view zone option | all | all | all | all | all |
| QNAME Minimization | all | ||||
| Resolver: Cache prefetch | all | all | all | all | all |
| Resolver: Prefer IPv6 when querying authoritative servers | all | all | all | all | all |
| RNDC: "showzone", "modzone", faster "delzone" | all | all | all | all | all |
| RNDC: Python module | all | all | all | ||
| RNDC: read-only option | all | all | all | all | all |
| RNDC: zone status reporting | all | all | all | all | all |
| RPZ: refactored RPZ | all | all | all | ||
| RPZ: Response Policy Service API | all | all | |||
| Umbrella PROTOSS EDNS option | 9.11.4-S |
Features Removed (or planned for removal)
In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."
| Feature | 9.12 | 9.14 | 9.15 | 9.16 | 9.17 |
|---|---|---|---|---|---|
| cleaning-interval | removed | ----- | ----- | ||
| dig+sigchase | removed | ----- | ----- | ----- | ----- |
| dlv trust anchor | removed | ----- | ----- | ----- | ----- |
| DLV (DNSSEC Look-Aside Validator) | deprecated | removed | ----- | ||
| DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) | removed | ----- | ----- | ----- | |
| DNSSEC enable | 9.15.1 on by default | ||||
| DNSSEC managed-keys | 9.15.1 replaced with dnssec-keys plus initial-key | ||||
| DNSSEC trusted-keys | 9.15.1 replaced with dnssec-keys plus static-key | ||||
| EDNS Client-Subnet (ECS) authoritative | removed | ----- | ----- | ----- | |
| lwresd | removed | ----- | ----- | ----- | ----- |
Utilities Added
| Utility | 9.9 | 9.9-S (stable preview) | 9.10 | 9.10-S | 9.11 | 9.11 S | 9.12 | 9.14 |
|---|---|---|---|---|---|---|---|---|
| delv | all | all | all | all | all | all | ||
| dnssec-cds | all | all | ||||||
| dnssec-checkds | 9.9.2 | all | all | all | all | all | all | all |
| dnssec-coverage | 9.9.3 | all | all | all | all | all | all | all |
| dnssec-importkey | 9.9.5 | 9.9.5-S1 | all | all | all | all | all | all |
| dnssec-keymgr | all | all | all | all | ||||
| dnssec-verify | 9.9.2 | all | all | all | all | all | all | all |
| dnstap-read | all | all | all | all | ||||
| mdig | all | all | all | all | ||||
| named-rrchecker | all | all | all | all | all | all | ||
| tsig-keygen | all | all | all | all | all | all |
Notes:
- "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
- Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
- DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with
--enable-sitin all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.
Was this article helpful?