BIND 9 Significant Features Matrix

Updated on 03 May 2023
5 Minutes to read
Contributors

Print
Share
Dark

Light
PDF

Article Summary

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.

The tables below don't include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.

Refactoring

BIND's interface to the network was refactored during the 9.15 to 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this didn't result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.

Major Features Added or Changed

Feature	9.11	9.11-S	9.16	9.16-S	9.18	9.18-S
Compression on source tarballs	gz (tar.gz)	gz (tar.gz)	xz (tar.xz) 9.15.7	xz (tar.xz)	xz (tar.xz)	xz (tar.xz)
DDOS Mitigation: DNS COOKIE (previously called SIT)	updated in 9.11.26 aes or sha256	algorithm changed to siphash24, multiple cookie secrets added	updated in 9.16.10	updated in 9.16.10-S	all	all
DDOS Mitigation: Multiple response rate limiters for different domains	---	all	---	all	---	all
DDOS Mitigation: Size & ratio controls for response rate limiters	---	all	---	all	---	all
DNSSEC: Key and Signing Policy	---	---	new	new	updated	updated
DNSSEC validation			default changed from yes to auto	auto	auto	auto
DNSSEC: "validate-except" Permanent Negative trust anchors	---	added (backported from 9.13.10)	all	all	all	all
DNS over HTTPS (DoH) (RFC 8484)	---	---	---	---	all	all
DNS over TLS (DoT) (RFC 7858)	---	---	---	---	all	all
Documentation - BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs	---	---	all	---	all	all
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020)	9.11.24	9.11.24	9.16.8	9.16.8	all	all
EDNS Client-Subnet (ECS) for resolver	---	all, updated 9.11.26-S	---	all, updated 9.16.10-S	---	all
EDNS Client-Subnet (ECS) option support for authoritative servers	experimental	exp	removed	removed	---	---
EDNS Padding (RFC 7830)	---	all	all	all	all	all
Extended Errors (RFC 8914)	---	---	---	---	#18	#18
GeoIP support	all	all	all	2.0 api	2.0 api	2.0 api
IXFR size limits	---	---	new max-ixfr-ratio option	all	all	all
Management: automatic DNSTAP file rolling	---	added	all	all	all	all
Management: timestamp suffix option for rolled log files and DNSTAP files	---	added	all	all	all	all
Mirror Zones (RFC 8806)	---	---	added (9.13.2)	all	all	all
BIND Modules - plug-in support for query processing	---	---	added (9.13.2)	all	now asynchronous	now asynchronous
Performance: EDNS TCP keepalive support (RFC 7828)	---	all	all	all	all	all
Performance: glue cache	---	---	added	added	The option has been deprecated. The feature will be enabled by default in future	The option has been deprecated. The feature will be enabled by default in future
Performance: minimal responses (RFC 8482)	---	---	added	added	all	all
Performance: answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/)	---	---	present, disabled by default	present, disabled by default	modified, re-enabled by default	modified, re-enabled by default
Performance: Pipelined TCP queries (server side) (RFC 7766)	all	all		all	all	all
maximum timeout increased	all, longer max timeout	all, longer max timeout	all	all	all	all
QNAME Minimization (RFC 9156)		all	all	all	all	all
RPZ-passthru new logging channel	---	---	---	---	all	all
RPZ: refactored RPZ	---	all, rate limits for updates improved performance and reliability	all	all	all	all
RPZ: 'nsdname-wait-recurse'	---	all	all	all	all	all
RPZ: Response Policy Service API	---	---	new	new	all	all
New RRs	---	---	---	---	HTTPS, SCVB	HTTPS, SCVB
Serve Stale	---	9.11.4-S, updated 9.11.25-S, 9.11-30-S1	all, updated 9.16.9, 9.16.13	all, updated 9.16.9-S, 9.16.13-S	see KB	see KB
Umbrella PROTOSS EDNS option		new	---	all	---	all
Zone transfer over TLS, aka XoT (RFC 9103)	---	---	---	---	new	new

Features Removed (or planned for removal)

In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. Typically these will generate a warning if used. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."

Feature	9.12	9.14	9.15	9.16	9.18	9.20	9.22	9.24
acache cleaning-interval, acache enable, additional from auth, additional from cache				additional data now recorded in main cache	-----	----	----	----
cleaning-interval	obsolete		obsolete	removed	----	----	----	----
Crypto:Native PKCS#11				deprecated	removed in 9.18, replaced with OpenSC PKCS#11	----	----	----
dig+sigchase	removed	-----	-----	-----	-----	----	----	----
dlv trust anchor	removed	-----	-----	-----	-----	----	----	----
DLV (DNSSEC Look-Aside Validator)			deprecated	removed	-----	----	----	----
DLZ drivers (DLZ modules unaffected)					deprecated in 9.17.19, to be removed by 9.18	----	----	----
DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST)		removed	-----	-----	-----	----	----	----
DNSSEC enable			9.15.1 DNSSEC enabled by default	obsolete	obsolete	----	----	----
DNSSEC managed-keys			9.15.1 replaced with trust-anchors plus initial-key			----	----	----
DNSSEC trusted-keys			9.15.1 replaced with trust-anchors plus static-key			----	----	----
DSCP				deprecated/non-operational	deprecated/non-operational	obsolete	----	----
EDNS Client-Subnet (ECS) authoritative		removed	-----	-----	-----	----	----	----
lwresd	removed	-----	-----	-----	-----	----	----	----
'map' zone file format				deprecated	removed	----	----	----
Source Ports - explicit definition of source ports for outgoing connections				discouraged as it implicitly disables source port randomization		deprecated	obsolete	----
TKEY mode 2. Switch to TKEY Mode 3 (GSS-API)					deprecated, tkey-dhkey will warn	removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH	----	----
Windows 32-bit support	-----	-----	-----	deprecated	removed	----	----	----

Utilities

Utility	9.11	9.11-S	9.16	9.16-S	9.18
dig	all	all	all	all	+unexpected removed, +qid= & +dns64prefix added, dig is now able to send DOH and DOT queries, dig output now includes the transport protocol used
dnssec-cds	---	---	all	all	all

Notes:

"all" indicates that this feature was (or will be) introduced in the first public release of this branch.
Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.

What's Next

Policy for removing named.conf options

Table of contents