• Print
  • Share
  • Dark
    Light

BIND 9 Significant Features Matrix

  • Updated on 18 Oct 2018
  • 4 minutes to read
  • Contributors

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Feature9.99.9-S (stable preview)
9.109.10-S9.119.11-S9.12
Removed support for      dig + sigchase
lwresd
dlv trust anchor

Automatic interface scanning

allallallallall
Case-sensitive name compression9.9.59.9.5-S1allallallallall
Crypto: Native PKCS#11

allallallallall
DDOS Mitigation: DNS COOKIE (previously called SIT)

all (with --enable-sit);
code point updated to COOKIE in 9.10.3
allallall
(multiple cookie secret added)
all
(multiple cookie secret added)
DDOS Mitigation: Faster RPZ and new triggers
allallallallall (refactored RPZ)all (refactored RPZ)
DDOS Mitigation:  Fetch limits (DDoS mitigation for recursive servers)9.9.8
(with --enable-fetchlimit)
9.9.6-S1
(revised 9.9.8-S1)
9.10.3 (with --enable-fetchlimit)allallallall
DDOS Mitigation: Minimal response to 'any' queries


 allallall
DDOS Mitigation: Multiple response rate limiters for different domains
9.9.5-S1
all
all 
DDOS Mitigation: Response rate limiting (RRL)9.9.4
(with --enable-rrl)
allallallallallall
DDOS Mitigation: SERVFAIL caching
9.9.6-S1
allallallall
DDOS Mitigation: Size & ratio controls for response rate limiters
9.9.5-S1
all
all 
DDOS Mitigation: Serve Stale     9.11.4-Sall
DNSSEC: Automatic creation of CDS, CDSKEY records


 allallall
DNSSEC: Negative trust anchors
9.9.6-S1
allallallall
EDNS Client-Subnet (ECS) for resolver


all
all
EDNS Client-Subnet (ECS) option support for authoritative servers


expexpexpexp
EDNS EXPIRE option (server side)  all (with experimental code point);
EXPIRE code point finalized in 9.10.1
allallallall
EDNS EXPIRE option (client side)    allallall
EDNS: Improved EDNS fallback processingallallallallall
EDNS Padding (RFC 7830)   9.10.5-S1 allall
GeoIP support
allallallallallall
Management: Detailed statistics counters
allallallallallall
Management: DNSTAP query/response logging
9.9.8-S5
allallallall
Management: automatic DNSTAP file rolling 9.9.9-S1 all allall
Management: timestamp suffix option for rolled log files
and DNSTAP files
   all allall
Management: JSON statistics
allallallallallall
Management: New XML statistics schema9.9.3all (with --enable-newstats)allallallallall
Management: Prevent duplicate named server instances allallall
Management: Traffic size statistics (per RSSAC02)allallall
nxdomain-redirect option9.9.8-S1allallallall
Performance: EDNS TCP keepalive support (RFC 7828)   all allall
Performance: Fast "map" format zone filesallallallall
Performance: glue cache      all
Performance: Large server tuningallallallallallall
Performance: minimal responses      all
Performance: mutex locking fixes (resolver)   allallallall
Performance: answer synthesis from cached NSEC      all
Performance: Pipelined TCP queries (server side)


all
9.10.6-S2 maximum timeout increased
allall
maximum timeout increased
all
maximum timeout increased
Performance: TCP connection sharing for update forwarding    allallall
Performance: Separate rate limiting for startup NOTIFY messages
9.9.7-S1
allallallall
Provisioning: Catalog zones


 allallall
Provisioning: Dynamic DB (DynDB) support


 allallall
Provisioning: in-view zone option

allallallallall
Resolver: Cache prefetch

allallallallall
Resolver: Prefer IPv6 when querying authoritative servers
9.9.8-S5
allallallall
RNDC: "showzone", "modzone", faster "delzone"
9.9.8-S5
allallallall
RNDC: Python module allallall
RNDC: read-only option9.9.9-S1allallallall
RNDC: zone status reporting

allallallallall
RPZ: refactored RPZ     allall
RPZ: Response Policy Service API      all

New utilities that have been introduced in each branch

Utility9.99.9-S (stable preview)9.109.10-S9.119.11 S9.12
delv  allallallallall
dnssec-cds      all
dnssec-checkds9.9.2allallallallallall
dnssec-coverage9.9.3allallallallallall
dnssec-importkey9.9.59.9.5-S1allallallallall
dnssec-keymgr    allallall
dnssec-verify9.9.2allallallallallall
dnstap-read    allallall
mdig    allallall
named-rrchecker  allallallallall
tsig-keygen  allallallallall

Notes:

  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.