-
DarkLight
BIND 9 Significant Features Matrix
- Updated on 04 Sep 2018
- 9 minutes to read
-
Contributors
The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).
| Feature | 9.9 | 9.9 S (stable preview) | 9.10 | 9.10 S | 9.11 | 9.11 S | 9.12 |
|---|---|---|---|---|---|---|---|
| Removed support for | dig + sigchase lwresd dlv trust anchor | ||||||
| Automatic interface scanning | all | all | all | all | all | ||
| Case-sensitive name compression | 9.9.5 | 9.9.5-S1 | all | all | all | all | all |
| Crypto: Native PKCS#11 | all | all | all | all | all | ||
| DDOS Mitigation: DNS COOKIE (previously called SIT) | all (with --enable-sit); code point updated to COOKIE in 9.10.3 | all | all | all (multiple cookie secret added) | all (multiple cookie secret added) | ||
| DDOS Mitigation: Faster RPZ and new triggers | all | all | all | all | all (refactored RPZ) | all (refactored RPZ) | |
| DDOS Mitigation: Fetch limits (DDoS mitigation for recursiveservers) | 9.9.8 (with --enable-fetchlimit) | 9.9.6-S1 (revised 9.9.8-S1) | 9.10.3 (with --enable-fetchlimit) | all | all | all | all |
| DDOS Mitigation: Minimal response to 'any' queries | all | all | all | ||||
| DDOS Mitigation: Multiple response rate limiters for different domains | 9.9.5-S1 | all | all | ||||
| DDOS Mitigation: Response rate limiting (RRL) | 9.9.4 (with --enable-rrl) | all | all | all | all | all | all |
| DDOS Mitigation: SERVFAIL caching | 9.9.6-S1 | all | all | all | all | ||
| DDOS Mitigation: Size & ratio controls for response rate limiters | 9.9.5-S1 | all | all | ||||
| DDOS Mitigation: Serve Stale | 9.11.4-S | all | |||||
| DNSSEC: Automatic creation of CDS, CDSKEY records | all | all | all | ||||
| DNSSEC: Negative trust anchors | 9.9.6-S1 | all | all | all | all | ||
EDNS Client-Subnet (ECS) for resolver | all | all | |||||
| EDNS Client-Subnet (ECS) option support for authoritative servers | exp | exp | exp | exp | |||
| EDNS EXPIRE option (server side) | all (with experimental code point); EXPIRE code point finalized in 9.10.1 | all | all | all | all | ||
| EDNS EXPIRE option (client side) | all | all | all | ||||
| EDNS: Improved EDNS fallback processing | all | all | all | all | all | ||
| EDNS Padding (RFC 7830) | 9.10.5-S1 | all | all | ||||
| GeoIP support | all | all | all | all | all | all | |
| Management: Detailed statistics counters | all | all | all | all | all | all | |
| Management: DNSTAP query/response logging | 9.9.8-S5 | all | all | all | all | ||
| Management: automatic DNSTAP file rolling | 9.9.9-S1 | all | all | all | |||
| Management: timestamp suffix option for rolled log files and DNSTAP files | all | all | all | ||||
| Management: JSON statistics | all | all | all | all | all | all | |
| Management: New XML statistics schema | 9.9.3 | all (with --enable-newstats) | all | all | all | all | all |
| Management: Prevent duplicate named server instances | all | all | all | ||||
| Management: Traffic size statistics (per RSSAC02) | all | all | all | ||||
| nxdomain-redirect option | 9.9.8-S1 | all | all | all | all | ||
| Performance: EDNS TCP keepalive support (RFC 7828) | all | all | all | ||||
| Performance: Fast "map" format zone files | all | all | all | all | all | ||
| Performance: glue cache | all | ||||||
| Performance: Large server tuning | all | all | all | all | all | all | |
| Performance: minimal responses | all | ||||||
| Performance: mutex locking fixes (resolver) | all | all | all | all | |||
| Performance: answer synthesis from cached NSEC | all | ||||||
| Performance: Pipelined TCP queries (server side) | all 9.10.6-S2 maximum timeout increased | all | all maximum timeout increased | all maximum timeout increased | |||
| Performance: TCP connection sharing for update forwarding | all | all | all | ||||
| Performance: Separate rate limiting for startup NOTIFY messages | 9.9.7-S1 | all | all | all | all | ||
| Provisioning: Catalog zones | all | all | all | ||||
| Provisioning: Dynamic DB (DynDB) support | all | all | all | ||||
| Provisioning: in-view zone option | all | all | all | all | all | ||
| Resolver: Cache prefetch | all | all | all | all | all | ||
| Resolver: Prefer IPv6 when querying authoritative servers | 9.9.8-S5 | all | all | all | all | ||
| RNDC: "showzone", "modzone", faster "delzone" | 9.9.8-S5 | all | all | all | all | ||
| RNDC: Python module | all | all | all | ||||
| RNDC: read-only option | 9.9.9-S1 | all | all | all | all | ||
| RNDC: zone status reporting | all | all | all | all | all | ||
| RPZ: refactored RPZ | all | all | |||||
| RPZ: Response Policy Service API | all |
New utilities that have been introduced in each branch
| Utility | 9.9 | 9.9 S (stable preview) | 9.10 | 9.10 S | 9.11 | 9.11 S | 9.12 |
|---|---|---|---|---|---|---|---|
| delv | all | all | all | all | all | ||
| dnssec-cds | all | ||||||
| dnssec-checkds | 9.9.2 | all | all | all | all | all | all |
| dnssec-coverage | 9.9.3 | all | all | all | all | all | all |
| dnssec-importkey | 9.9.5 | 9.9.5-S1 | all | all | all | all | all |
| dnssec-keymgr | all | all | all | ||||
| dnssec-verify | 9.9.2 | all | all | all | all | all | all |
| dnstap-read | all | all | all | ||||
| mdig | all | all | all | ||||
| named-rrchecker | all | all | all | all | all | ||
| tsig-keygen | all | all | all | all | all |
Notes:
- "all" indicates that this feature was (or will be) introduced in the first public release of this branch
- version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch
- DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all unix/linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.