BIND 9 Significant Features Matrix
  • Updated on 17 Apr 2019
  • 4 minutes to read
  • Contributors
  • Print
  • Share
  • Dark
    Light

BIND 9 Significant Features Matrix

  • Print
  • Share
  • Dark
    Light

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Feature9.9-S (stable preview)
9.109.10-S9.119.11-S9.129.14
Removed support for     dig + sigchase
lwresd
dlv trust anchor

ECS authoritative, ECC-GOST,
DNSSEC algorithms 3 (DSA)
and 6 (DSA-NSEC3-SHA1)
Automatic interface scanning
allallallallallall
Crypto: Native PKCS#11
allallallallallall
DDOS Mitigation: DNS COOKIE (previously called SIT)
all (with --enable-sit);
code point updated to COOKIE in 9.10.3
allallall
(multiple cookie secret added)
all
(multiple cookie secret added)
all
DDOS Mitigation: Faster RPZ and new triggersallallallallall (refactored RPZ)all (refactored RPZ)all
DDOS Mitigation: Minimal response to 'any' queries

 allallallall
DDOS Mitigation: Multiple response rate limiters for different domains9.9.5-S1
all
all all
DDOS Mitigation: SERVFAIL caching9.9.6-S1
allallallallall
DDOS Mitigation: Size & ratio controls for response rate limiters9.9.5-S1
all
all 
DDOS Mitigation: Serve Stale    9.11.4-Sallall
DNSSEC: Automatic creation of CDS, CDSKEY records

 allallallall
DNSSEC: Negative trust anchors9.9.6-S1
allallallallall
EDNS Client-Subnet (ECS) for resolver

all
all

EDNS Client-Subnet (ECS) option support for authoritative servers

expexpexpexpremoved
EDNS EXPIRE option (server side) all (with experimental code point);
EXPIRE code point finalized in 9.10.1
allallallallall
EDNS EXPIRE option (client side)   allallallall
EDNS: Improved EDNS fallback processingallallallallallall
EDNS Padding (RFC 7830)  9.10.5-S1 allallall
GeoIP supportallallallallallallall
Management: DNSTAP query/response logging9.9.8-S5
allallallallall
Management: automatic DNSTAP file rolling9.9.9-S1 all allallall
Management: timestamp suffix option for rolled log files
and DNSTAP files
  all allallall
Management: Prevent duplicate named server instances allallallall
Management: Traffic size statistics (per RSSAC02)allallallall
Mirror Zonesall (9.13.2)
Module - plug-in support for query processingall (9.13.2)
nxdomain-redirect option9.9.8-S1allallallallall
Performance: EDNS TCP keepalive support (RFC 7828)  all allallall
Performance: Fast "map" format zone filesallallallallallall
Performance: glue cache     allall
Performance: minimal responses     allall
Performance: mutex locking fixes (resolver)  allallallallall
Performance: answer synthesis from cached NSEC     allall
Performance: Pipelined TCP queries (server side)

all
9.10.6-S2 maximum timeout increased
allall
maximum timeout increased
all
maximum timeout increased
all
Performance: TCP connection sharing for update forwarding   allallallall
Performance: Separate rate limiting for startup NOTIFY messages9.9.7-S1
allallallallall
Provisioning: Catalog zones

 allallallall
Provisioning: Dynamic DB (DynDB) support

 allallallall
Provisioning: in-view zone option
allallallallallall
QNAME Minimization





all
Resolver: Cache prefetch
allallallallallall
Resolver: Prefer IPv6 when querying authoritative servers9.9.8-S5
allallallallall
RNDC: "showzone", "modzone", faster "delzone"9.9.8-S5
allallallallall
RNDC: Python module allallallall
RNDC: read-only option9.9.9-S1allallallallall
RNDC: zone status reporting
allallallallallall
RPZ: refactored RPZ    allallall
RPZ: Response Policy Service API     allall
Umbrella PROTOSS EDNS option    9.11.4-S

New utilities that have been introduced in each branch

Utility9.99.9-S (stable preview)9.109.10-S9.119.11 S9.129.14
delv  allallallallallall
dnssec-cds      allall
dnssec-checkds9.9.2allallallallallallall
dnssec-coverage9.9.3allallallallallallall
dnssec-importkey9.9.59.9.5-S1allallallallallall
dnssec-keymgr    allallallall
dnssec-verify9.9.2allallallallallallall
dnstap-read    allallallall
mdig    allallallall
named-rrchecker  allallallallallall
tsig-keygen  allallallallallall

Notes:

  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.
Was this article helpful?