-
Print
-
DarkLight
-
PDF
BIND 9 Significant Features Matrix
The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).
Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.
The tables below don't include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.
Refactoring
BIND's interface to the network was refactored during the 9.15 to 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv
library. While this didn't result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.
Major Features Added or Changed
Feature | 9.11 | 9.11-S | 9.16 | 9.16-S | 9.18 | 9.18-S |
---|---|---|---|---|---|---|
Compression on source tarballs | gz (tar.gz) | gz (tar.gz) | xz (tar.xz) 9.15.7 | xz (tar.xz) | xz (tar.xz) | xz (tar.xz) |
DDOS Mitigation: DNS COOKIE (previously called SIT) | updated in 9.11.26 aes or sha256 | algorithm changed to siphash24, multiple cookie secrets added | updated in 9.16.10 | updated in 9.16.10-S | all | all |
DDOS Mitigation: Multiple response rate limiters for different domains | --- | all | --- | all | --- | all |
DDOS Mitigation: Size & ratio controls for response rate limiters | --- | all | --- | all | --- | all |
DNSSEC: Key and Signing Policy | --- | --- | new | new | updated | updated |
DNSSEC validation | default changed from yes to auto | auto | auto | auto | ||
DNSSEC: "validate-except" Permanent Negative trust anchors | --- | added (backported from 9.13.10) | all | all | all | all |
DNS over HTTPS (DoH) (RFC 8484) | --- | --- | --- | --- | all | all |
DNS over TLS (DoT) (RFC 7858) | --- | --- | --- | --- | all | all |
Documentation - BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs | --- | --- | all | --- | all | all |
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) | 9.11.24 | 9.11.24 | 9.16.8 | 9.16.8 | all | all |
EDNS Client-Subnet (ECS) for resolver | --- | all, updated 9.11.26-S | --- | all, updated 9.16.10-S | --- | all |
EDNS Client-Subnet (ECS) option support for authoritative servers | experimental | exp | removed | removed | --- | --- |
EDNS Padding (RFC 7830) | --- | all | all | all | all | all |
Extended Errors (RFC 8914) | --- | --- | --- | --- | #18 | #18 |
GeoIP support | all | all | all | 2.0 api | 2.0 api | 2.0 api |
IXFR size limits | --- | --- | new max-ixfr-ratio option | all | all | all |
Management: automatic DNSTAP file rolling | --- | added | all | all | all | all |
Management: timestamp suffix option for rolled log files and DNSTAP files | --- | added | all | all | all | all |
Mirror Zones (RFC 8806) | --- | --- | added (9.13.2) | all | all | all |
BIND Modules - plug-in support for query processing | --- | --- | added (9.13.2) | all | now asynchronous | now asynchronous |
Performance: EDNS TCP keepalive support (RFC 7828) | --- | all | all | all | all | all |
Performance: glue cache | --- | --- | added | added | The option has been deprecated. The feature will be enabled by default in future | The option has been deprecated. The feature will be enabled by default in future |
Performance: minimal responses (RFC 8482) | --- | --- | added | added | all | all |
Performance: answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/) | --- | --- | present, disabled by default | present, disabled by default | modified, re-enabled by default | modified, re-enabled by default |
Performance: Pipelined TCP queries (server side) (RFC 7766) | all | all | all | all | all | |
maximum timeout increased | all, longer max timeout | all, longer max timeout | all | all | all | all |
QNAME Minimization (RFC 9156) | all | all | all | all | all | |
RPZ-passthru new logging channel | --- | --- | --- | --- | all | all |
RPZ: refactored RPZ | --- | all, rate limits for updates improved performance and reliability | all | all | all | all |
RPZ: 'nsdname-wait-recurse' | --- | all | all | all | all | all |
RPZ: Response Policy Service API | --- | --- | new | new | all | all |
New RRs | --- | --- | --- | --- | HTTPS, SCVB | HTTPS, SCVB |
Serve Stale | --- | 9.11.4-S, updated 9.11.25-S, 9.11-30-S1 | all, updated 9.16.9, 9.16.13 | all, updated 9.16.9-S, 9.16.13-S | see KB | see KB |
Umbrella PROTOSS EDNS option | new | --- | all | --- | all | |
Zone transfer over TLS, aka XoT (RFC 9103) | --- | --- | --- | --- | new | new |
Features Removed (or planned for removal)
In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. Typically these will generate a warning if used. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."
Feature | 9.12 | 9.14 | 9.15 | 9.16 | 9.18 | 9.20 | 9.22 | 9.24 | |
---|---|---|---|---|---|---|---|---|---|
acache cleaning-interval, acache enable, additional from auth, additional from cache | additional data now recorded in main cache | ----- | ---- | ---- | ---- | ||||
cleaning-interval | obsolete | obsolete | removed | ---- | ---- | ---- | ---- | ||
Crypto:Native PKCS#11 | deprecated | removed in 9.18, replaced with OpenSC PKCS#11 | ---- | ---- | ---- | ||||
dig+sigchase | removed | ----- | ----- | ----- | ----- | ---- | ---- | ---- | |
dlv trust anchor | removed | ----- | ----- | ----- | ----- | ---- | ---- | ---- | |
DLV (DNSSEC Look-Aside Validator) | deprecated | removed | ----- | ---- | ---- | ---- | |||
DLZ drivers (DLZ *modules* unaffected) | deprecated in 9.17.19, to be removed by 9.18 | ---- | ---- | ---- | |||||
DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) | removed | ----- | ----- | ----- | ---- | ---- | ---- | ||
DNSSEC enable | 9.15.1 DNSSEC enabled by default | obsolete | obsolete | ---- | ---- | ---- | |||
DNSSEC managed-keys | 9.15.1 replaced with trust-anchors plus initial-key | ---- | ---- | ---- | |||||
DNSSEC trusted-keys | 9.15.1 replaced with trust-anchors plus static-key | ---- | ---- | ---- | |||||
DSCP | deprecated/non-operational | deprecated/non-operational | obsolete | ---- | ---- | ||||
EDNS Client-Subnet (ECS) authoritative | removed | ----- | ----- | ----- | ---- | ---- | ---- | ||
lwresd | removed | ----- | ----- | ----- | ----- | ---- | ---- | ---- | |
'map' zone file format | deprecated | removed | ---- | ---- | ---- | ||||
Source Ports - explicit definition of source ports for outgoing connections | discouraged as it implicitly disables source port randomization | deprecated | obsolete | ---- | |||||
TKEY mode 2. Switch to TKEY Mode 3 (GSS-API) | deprecated, tkey-dhkey will warn | removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH | ---- | ---- | |||||
Windows 32-bit support | ----- | ----- | ----- | deprecated | removed | ---- | ---- | ---- |
Utilities
Utility | 9.11 | 9.11-S | 9.16 | 9.16-S | 9.18 |
---|---|---|---|---|---|
dig | all | all | all | all | +unexpected removed, +qid= dig is now able to send DOH and DOT queries, dig output now includes the transport protocol used |
dnssec-cds | --- | --- | all | all | all |
Notes:
- "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
- Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
- DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with
--enable-sit
in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.