BIND 9 Significant Features Matrix
  • 03 May 2023
  • 5 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

BIND 9 Significant Features Matrix

  • Dark
    Light
  • PDF

Article Summary

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.

The tables below don't include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.

Refactoring

BIND's interface to the network was refactored during the 9.15 to 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this didn't result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.

Major Features Added or Changed

Feature 9.11 9.11-S 9.16 9.16-S 9.18 9.18-S
Compression on source tarballs gz (tar.gz) gz (tar.gz) xz (tar.xz) 9.15.7 xz (tar.xz) xz (tar.xz) xz (tar.xz)
DDOS Mitigation: DNS COOKIE (previously called SIT) updated in 9.11.26 aes or sha256 algorithm changed to siphash24, multiple cookie secrets added updated in 9.16.10 updated in 9.16.10-S all all
DDOS Mitigation: Multiple response rate limiters for different domains --- all --- all --- all
DDOS Mitigation: Size & ratio controls for response rate limiters --- all --- all --- all
DNSSEC: Key and Signing Policy --- --- new new updated updated
DNSSEC validation default changed from yes to auto auto auto auto
DNSSEC: "validate-except" Permanent Negative trust anchors --- added (backported from 9.13.10) all all all all
DNS over HTTPS (DoH) (RFC 8484) --- --- --- --- all all
DNS over TLS (DoT) (RFC 7858) --- --- --- --- all all
Documentation - BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs --- --- all --- all all
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) 9.11.24 9.11.24 9.16.8 9.16.8 all all
EDNS Client-Subnet (ECS) for resolver --- all, updated 9.11.26-S --- all, updated 9.16.10-S --- all
EDNS Client-Subnet (ECS) option support for authoritative servers experimental exp removed removed --- ---
EDNS Padding (RFC 7830) --- all all all all all
Extended Errors (RFC 8914) --- --- --- --- #18 #18
GeoIP support all all all 2.0 api 2.0 api 2.0 api
IXFR size limits --- --- new max-ixfr-ratio option all all all
Management: automatic DNSTAP file rolling --- added all all all all
Management: timestamp suffix option for rolled log files and DNSTAP files --- added all all all all
Mirror Zones (RFC 8806) --- --- added (9.13.2) all all all
BIND Modules - plug-in support for query processing --- --- added (9.13.2) all now asynchronous now asynchronous
Performance: EDNS TCP keepalive support (RFC 7828) --- all all all all all
Performance: glue cache --- --- added added The option has been deprecated. The feature will be enabled by default in future The option has been deprecated. The feature will be enabled by default in future
Performance: minimal responses (RFC 8482) --- --- added added all all
Performance: answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/) --- --- present, disabled by default present, disabled by default modified, re-enabled by default modified, re-enabled by default
Performance: Pipelined TCP queries (server side) (RFC 7766) all all all all all
maximum timeout increased all, longer max timeout all, longer max timeout all all all all
QNAME Minimization (RFC 9156) all all all all all
RPZ-passthru new logging channel --- --- --- --- all all
RPZ: refactored RPZ --- all, rate limits for updates improved performance and reliability all all all all
RPZ: 'nsdname-wait-recurse' --- all all all all all
RPZ: Response Policy Service API --- --- new new all all
New RRs --- --- --- --- HTTPS, SCVB HTTPS, SCVB
Serve Stale --- 9.11.4-S, updated 9.11.25-S, 9.11-30-S1 all, updated 9.16.9, 9.16.13 all, updated 9.16.9-S, 9.16.13-S see KB see KB
Umbrella PROTOSS EDNS option new --- all --- all
Zone transfer over TLS, aka XoT (RFC 9103) --- --- --- --- new new

Features Removed (or planned for removal)

In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. Typically these will generate a warning if used. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."

Feature9.129.149.159.169.189.209.229.24
acache cleaning-interval, acache enable, additional from auth, additional from cache additional data now recorded in main cache ----- ------------
cleaning-intervalobsolete obsoleteremoved ----------------
Crypto:Native PKCS#11 deprecated removed in 9.18, replaced with OpenSC PKCS#11 ------------
dig+sigchaseremoved----- ----- ----- ----- ------------
dlv trust anchorremoved----- ----- ----- ----- ------------
DLV (DNSSEC Look-Aside Validator)    deprecatedremoved ----- ------------
DLZ drivers (DLZ *modules* unaffected)    deprecated in 9.17.19, to be removed by 9.18------------
DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) removed----- ----- ----- ------------
DNSSEC enable   9.15.1 DNSSEC enabled by default obsolete obsolete ------------
DNSSEC managed-keys   9.15.1
replaced with trust-anchors plus initial-key
------------
DNSSEC trusted-keys   9.15.1
replaced with trust-anchors plus static-key
------------
DSCP     deprecated/non-operationaldeprecated/non-operational obsolete--------
EDNS Client-Subnet (ECS) authoritative removed----- ----- ----- ------------
lwresdremoved----- ----- ----- ----- ------------
'map' zone file formatdeprecatedremoved------------
Source Ports - explicit definition of source ports for outgoing connections discouraged as it implicitly disables source port randomization deprecatedobsolete----
TKEY mode 2. Switch to TKEY Mode 3 (GSS-API) deprecated, tkey-dhkey will warnremoved, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH--------
Windows 32-bit support----- ----- ----- deprecatedremoved------------

Utilities

Utility9.119.11-S9.169.16-S9.18
digallallallall+unexpected removed,
+qid= & +dns64prefix added,
dig is now able to send DOH and DOT queries,
dig output now includes the transport protocol used
dnssec-cds------allallall

Notes:

  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.