BIND 9 Significant Features Matrix
  • Updated on 01 Nov 2019
  • 5 minutes to read
  • Contributors
  • Print
  • Share
  • Dark

BIND 9 Significant Features Matrix

  • Print
  • Share
  • Dark

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Features Added

Automatic interface scanningallallallallall
Crypto: Native PKCS#11allallallallall
DDOS Mitigation: DNS COOKIE (previously called SIT)allallall
(multiple cookie secret added)
(multiple cookie secret added)
DDOS Mitigation: Faster RPZ and new triggersallallall (refactored RPZ)all (refactored RPZ)all
DDOS Mitigation: Minimal response to 'any' queries allallallall
DDOS Mitigation: Multiple response rate limiters for different domainsall
all all
DDOS Mitigation: SERVFAIL cachingallallallallall
DDOS Mitigation: Size & ratio controls for response rate limitersall
DDOS Mitigation: Serve Stale  9.11.4-Sallall
DNSSEC: Automatic creation of CDS, CDSKEY records allallallall
DNSSEC: Negative trust anchorsallallallallall
DNSSEC: "validate-except" Permanent Negative trust anchorsall
EDNS Client-Subnet (ECS) for resolverall

EDNS Client-Subnet (ECS) option support for authoritative serversexpexpexpexpremoved
EDNS EXPIRE option (server side)allallallallall
EDNS EXPIRE option (client side) allallallall
EDNS: Improved EDNS fallback processingallallallallall
EDNS Padding (RFC 7830)9.10.5-S1 allallall
GeoIP supportallallallallall
Management: DNSTAP query/response loggingallallallallall
Management: automatic DNSTAP file rollingall allallall
Management: timestamp suffix option for rolled log files
and DNSTAP files
all allallall
Management: Prevent duplicate named server instances allallallall
Management: Traffic size statistics (per RSSAC02)allallallall
Mirror Zonesall (9.13.2)
Module - plug-in support for query processingall (9.13.2)
nxdomain-redirect optionallallallallall
Performance: EDNS TCP keepalive support (RFC 7828)all allallall
Performance: Fast "map" format zone filesallallallall
Performance: glue cache   allall
Performance: minimal responses   allall
Performance: mutex locking fixes (resolver)allallallallall
Performance: answer synthesis from cached NSEC   allall
Performance: Pipelined TCP queries (server side)all
9.10.6-S2 maximum timeout increased
maximum timeout increased
maximum timeout increased
Performance: TCP connection sharing for update forwarding allallallall
Performance: Separate rate limiting for startup NOTIFY messagesallallallallall
Provisioning: Catalog zones allallallall
Provisioning: Dynamic DB (DynDB) support allallallall
Provisioning: in-view zone optionallallallallall
QNAME Minimization

Resolver: Cache prefetchallallallallall
Resolver: Prefer IPv6 when querying authoritative serversallallallallall
RNDC: "showzone", "modzone", faster "delzone"allallallallall
RNDC: Python moduleallallall
RNDC: read-only optionallallallallall
RNDC: zone status reportingallallallallall
RPZ: refactored RPZ  allallall
RPZ: Response Policy Service API   allall
Umbrella PROTOSS EDNS option  9.11.4-S

Features Removed (or planned for removal)

In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."

cleaning-intervalremoved ----- -----
dig+sigchaseremoved----- ----- ----- -----
dlv trust anchorremoved----- ----- ----- -----
DLV (DNSSEC Look-Aside Validator)    deprecatedremoved -----
DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) removed----- ----- -----
DNSSEC enable   9.15.1
on by default
DNSSEC managed-keys   9.15.1
replaced with dnssec-keys plus initial-key
DNSSEC trusted-keys   9.15.1
replaced with dnssec-keys plus static-key
EDNS Client-Subnet (ECS) authoritative removed----- ----- -----
lwresdremoved----- ----- ----- -----
Windows 32-bit support----- ----- ----- deprecatedremoval planned

Utilities Added

Utility9.99.9-S (stable preview)9.109.10-S9.119.11 S9.129.14
delv  allallallallallall
dnssec-cds      allall
dnssec-keymgr    allallallall
dnstap-read    allallallall
mdig    allallallall
named-rrchecker  allallallallallall
tsig-keygen  allallallallallall


  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.
Was this article helpful?