• Print
  • Share
  • Dark
    Light

BIND 9 Significant Features Matrix

  • Updated on 18 Oct 2018
  • 4 minutes to read
  • Contributors

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Feature9.99.9-S (stable preview)
9.109.10-S9.119.11-S9.12
Removed support for      dig + sigchase
lwresd
dlv trust anchor

Automatic interface scanning

allallallallall
Case-sensitive name compression9.9.59.9.5-S1allallallallall
Crypto: Native PKCS#11

allallallallall
DDOS Mitigation: DNS COOKIE (previously called SIT)

all (with --enable-sit);
code point updated to COOKIE in 9.10.3
allallall
(multiple cookie secret added)
all
(multiple cookie secret added)
DDOS Mitigation: Faster RPZ and new triggers
allallallallall (refactored RPZ)all (refactored RPZ)
DDOS Mitigation:  Fetch limits (DDoS mitigation for recursive servers)9.9.8
(with --enable-fetchlimit)
9.9.6-S1
(revised 9.9.8-S1)
9.10.3 (with --enable-fetchlimit)allallallall
DDOS Mitigation: Minimal response to 'any' queries


 allallall
DDOS Mitigation: Multiple response rate limiters for different domains
9.9.5-S1
all
all 
DDOS Mitigation: Response rate limiting (RRL)9.9.4
(with --enable-rrl)
allallallallallall
DDOS Mitigation: SERVFAIL caching
9.9.6-S1
allallallall
DDOS Mitigation: Size & ratio controls for response rate limiters
9.9.5-S1
all
all 
DDOS Mitigation: Serve Stale     9.11.4-Sall
DNSSEC: Automatic creation of CDS, CDSKEY records


 allallall
DNSSEC: Negative trust anchors
9.9.6-S1
allallallall
EDNS Client-Subnet (ECS) for resolver


all
all
EDNS Client-Subnet (ECS) option support for authoritative servers


expexpexpexp
EDNS EXPIRE option (server side)  all (with experimental code point);
EXPIRE code point finalized in 9.10.1
allallallall
EDNS EXPIRE option (client side)    allallall
EDNS: Improved EDNS fallback processingallallallallall
EDNS Padding (RFC 7830)   9.10.5-S1 allall
GeoIP support
allallallallallall
Management: Detailed statistics counters
allallallallallall
Management: DNSTAP query/response logging
9.9.8-S5
allallallall
Management: automatic DNSTAP file rolling 9.9.9-S1 all allall
Management: timestamp suffix option for rolled log files
and DNSTAP files
   all allall
Management: JSON statistics
allallallallallall
Management: New XML statistics schema9.9.3all (with --enable-newstats)allallallallall
Management: Prevent duplicate named server instances allallall
Management: Traffic size statistics (per RSSAC02)allallall
nxdomain-redirect option9.9.8-S1allallallall
Performance: EDNS TCP keepalive support (RFC 7828)   all allall
Performance: Fast "map" format zone filesallallallall
Performance: glue cache      all
Performance: Large server tuningallallallallallall
Performance: minimal responses      all
Performance: mutex locking fixes (resolver)   allallallall
Performance: answer synthesis from cached NSEC      all
Performance: Pipelined TCP queries (server side)


all
9.10.6-S2 maximum timeout increased
allall
maximum timeout increased
all
maximum timeout increased
Performance: TCP connection sharing for update forwarding    allallall
Performance: Separate rate limiting for startup NOTIFY messages
9.9.7-S1
allallallall
Provisioning: Catalog zones


 allallall
Provisioning: Dynamic DB (DynDB) support


 allallall
Provisioning: in-view zone option

allallallallall
Resolver: Cache prefetch

allallallallall
Resolver: Prefer IPv6 when querying authoritative servers
9.9.8-S5
allallallall
RNDC: "showzone", "modzone", faster "delzone"
9.9.8-S5
allallallall
RNDC: Python module allallall
RNDC: read-only option9.9.9-S1allallallall
RNDC: zone status reporting

allallallallall
RPZ: refactored RPZ     allall
RPZ: Response Policy Service API      all

New utilities that have been introduced in each branch

Utility9.99.9-S (stable preview)9.109.10-S9.119.11 S9.12
delv  allallallallall
dnssec-cds      all
dnssec-checkds9.9.2allallallallallall
dnssec-coverage9.9.3allallallallallall
dnssec-importkey9.9.59.9.5-S1allallallallall
dnssec-keymgr    allallall
dnssec-verify9.9.2allallallallallall
dnstap-read    allallall
mdig    allallall
named-rrchecker  allallallallall
tsig-keygen  allallallallall

Notes:

  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.
Was this article helpful?