BIND 9 Significant Features Matrix
- Updated on 03 Mar 2020
- 3 minutes to read
-
Contributors
-
Print
-
DarkLight
The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).
Features Added
| Feature | 9.11 | 9.11-S | 9.12 | 9.14 | 9.16 | 9.16-S | |
|---|---|---|---|---|---|---|---|
| Compression on source tarballs | gz (tar.gz) | gz (tar.gz) | gz (tar.gz) | gz (tar.gz) | xz (tar.xz) 9.15.7 | xz (tar.xz) | |
| Crypto:Native PKCS#11 | all | all | all | all | all | all | |
| DDOS Mitigation: DNS COOKIE (previously called SIT) | all | all (multiple cookie secret added) | all (multiple cookie secret) | all, (multiple cookie secret) | all, (multiple cookie secret) | all, (multiple cookie secret) | |
| DDOS Mitigation: Faster RPZ and new triggers | all | all (refactored RPZ) | all (refactored) | all (refactored) | all (refactored) | all (refactored) | |
| DDOS Mitigation: Multiple response rate limiters for different domains | all | all | all | all | |||
| DDOS Mitigation: Size & ratio controls for response rate limiters | all | all | |||||
| DDOS Mitigation: Serve Stale | 9.11.4-S | all | all | all | all | ||
| DNSSEC: Key and Signing Policy | all | all | |||||
| DNSSEC: "validate-except" Permanent Negative trust anchors | all | all | all | ||||
| EDNS Client-Subnet (ECS) for resolver | all | all | |||||
| EDNS Client-Subnet (ECS) option support for authoritative servers | exp | exp | exp | exp | removed | removed | |
| EDNS Padding (RFC 7830) | all | all | all | all | all | ||
| GeoIP support | all | all | all | all | all | 2.0 api | |
| Management: automatic DNSTAP file rolling | all | all | all | all | all | ||
| Management: timestamp suffix option for rolled log files and DNSTAP files | all | all | all | all | all | ||
| Mirror Zones | all (9.13.2) | all | all | ||||
| Module - plug-in support for query processing | all (9.13.2) | all | all | ||||
| Performance: EDNS TCP keepalive support (RFC 7828) | all | all | all | all | all | ||
| Performance: glue cache | all | all | all | all | |||
| Performance: minimal responses | all | all | all | all | |||
| Performance: answer synthesis from cached NSEC | all/enabled | all/enabled | disabled by default | all, disabled | |||
| Performance: Pipelined TCP queries (server side) | all | all maximum timeout increased | all maximum timeout increased | all, longer max timeout | all, longer max timeout | all, longer max timeout | |
| QNAME Minimization | all | all | all | ||||
| RPZ: refactored RPZ | all | all | all | all | all | ||
| RPZ: Response Policy Service API | all | all | all | all | |||
| Umbrella PROTOSS EDNS option | all | all |
Features Removed (or planned for removal)
In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."
| Feature | 9.12 | 9.14 | 9.15 | 9.16 | 9.17 |
|---|---|---|---|---|---|
| cleaning-interval | removed | ----- | ----- | ||
| dig+sigchase | removed | ----- | ----- | ----- | ----- |
| dlv trust anchor | removed | ----- | ----- | ----- | ----- |
| DLV (DNSSEC Look-Aside Validator) | deprecated | removed | ----- | ||
| DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) | removed | ----- | ----- | ----- | |
| DNSSEC enable | 9.15.1 on by default | ||||
| DNSSEC managed-keys | 9.15.1 replaced with dnssec-keys plus initial-key | ||||
| DNSSEC trusted-keys | 9.15.1 replaced with dnssec-keys plus static-key | ||||
| EDNS Client-Subnet (ECS) authoritative | removed | ----- | ----- | ----- | |
| lwresd | removed | ----- | ----- | ----- | ----- |
| Windows 32-bit support | ----- | ----- | ----- | deprecated | removal planned |
Utilities Added
| Utility | 9.11 | 9.11 S | 9.12 | 9.14 | 9.16 | 9.16-S |
|---|---|---|---|---|---|---|
| dnssec-cds | all | all | all | all | ||
Notes:
- "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
- Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
- DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with
--enable-sitin all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.