BIND 9 Significant Features Matrix
  • 12 Apr 2022
  • 4 Minutes to read
  • Contributors
  • Dark
  • PDF

BIND 9 Significant Features Matrix

  • Dark
  • PDF

The "S" (stable preview) editions and the other release branches of BIND 9 differ in a number of ways. This table lists the major feature differences for current main supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans where features overlap with already-released branches).

Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16.

The tables below don't include changes in the build environment or platform support. Those requirements are included in the file at the top level of the BIND distribution.


BIND's interface to the network was refactored during the 9.15 to 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this didn't result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.

Major Features Added or Changed

Compression on source tarballsgz (tar.gz)gz (tar.gz)xz (tar.xz) 9.15.7xz (tar.xz)xz (tar.xz)
DDOS Mitigation: DNS COOKIE (previously called SIT)updated in 9.11.26 aes or sha256algorithm changed to siphash24, multiple cookie secrets addedupdated in 9.16.10updated in 9.16.10-Sall
DDOS Mitigation: Multiple response rate limiters for different domains---all---all---
DDOS Mitigation: Size & ratio controls for response rate limiters---all---all---
DNSSEC: Key and Signing Policy------newnewupdated
DNSSEC validation default changed from yes to autoauto auto
DNSSEC: "validate-except" Permanent Negative trust anchors---added (backported from 9.13.10)allallall
DNS over HTTPS (DOH) (RFC 8484)------------all
DNS over TLS (DOT) (RFC 7858)------------all
Documentation - BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs------all---all
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020)
EDNS Client-Subnet (ECS) for resolver---all, updated 9.11.26-S---all, updated 9.16.10-S---
EDNS Client-Subnet (ECS) option support for authoritative serversexperimentalexpremovedremoved---
EDNS Padding (RFC 7830)---allallallall
Extended Errors (RFC 8914)------------#18
GeoIP supportallallall2.0 api2.0 api
Glue cache------addedaddedoption has been deprecated, feature will be enabled by default in future when the option is removed
IXFR size limits------new max-ixfr-ratio optionallall
Management: automatic DNSTAP file rolling---addedallallall
Management: timestamp suffix option for rolled log files and DNSTAP files---addedallallall
Mirror Zones (RFC 8806)------added (9.13.2)allall
BIND Modules - plug-in support for query processing------added (9.13.2)allnow asynchronous
Performance: EDNS TCP keepalive support (RFC 7828)---allallallall
Performance: glue cache------addedaddedoption has been deprecated, feature will be enabled by default in future
Performance: minimal responses (RFC 8482)------addedaddedall
Performance: answer synthesis from cached NSEC (RFC 8198)------present, disabled by defaultpresent, disabled by defaultmodified, re-enabled by default
Performance: Pipelined TCP queries (server side) (RFC 7766)allall
maximum timeout increased
all, longer max timeoutall, longer max timeoutall
QNAME Minimization (RFC 9156)
RPZ-passthru new logging channel------------all
RPZ: refactored RPZ---all, rate limits for updates improved performance and reliabilityallallall
RPZ: 'nsdname-wait-recurse'---allallallall
RPZ: Response Policy Service **API**------newnewall
New RRs------------HTTPS, SCVB
Serve Stale---9.11.4-S, updated 9.11.25-S, 9.11-30-S1all, updated 9.16.9, 9.16.13all, updated 9.16.9-S, 9.16.13-Ssee KB
Umbrella PROTOSS EDNS option new---all---
Zone transfer over TLS, aka XoT (RFC 9103)------------new

Features Removed (or planned for removal)

In the following table, "deprecated" means that the option is still usable, but it's use is discouraged because it is going to be obsoleted in a future version. "Obsoleted" options are no longer in use - they are either ignored, or named.conf won't load with them. "Removed" in the table below means the same thing as "obsoleted." We have a policy for removing options by a phased process (the phases are (1) community comment (2) deprecation (3) removal) but some of these changes happened before that policy was established. Those are the options that are just marked as "removed."

acache cleaning-interval, acache enable, additional from auth, additional from cacheremoved additional data now recorded in main cache -----
cleaning-intervalobsolete obsoleteremoved ----
Crypto:Native PKCS#11 deprecated removed in 9.18, replaced with OpenSC PKCS#11
dig+sigchaseremoved----- ----- ----- -----
dlv trust anchorremoved----- ----- ----- -----
DLV (DNSSEC Look-Aside Validator)    deprecatedremoved -----
DLZ drivers (DLZ *modules* unaffected)    deprecated in 9.17.19, to be removed by 9.18
DNSSEC Algorithms 1, 3, 6 and 12 (RSAMD5, DSA, DSA-NSEC-SHA1 and ECC-GOST) removed----- ----- -----
DNSSEC enable   9.15.1 DNSSEC enabled by default obsolete obsolete
DNSSEC managed-keys   9.15.1
replaced with dnssec-keys plus initial-key
DNSSEC trusted-keys   9.15.1
replaced with dnssec-keys plus static-key
EDNS Client-Subnet (ECS) authoritative removed----- ----- -----
lwresdremoved----- ----- ----- -----
'map' zone file formatdeprecatedremoved
Windows 32-bit support----- ----- ----- deprecatedremoved


Utility9.119.11 S9.169.16-S9.18
digallallallall+unexpected removed,
+qid= & +dns64prefix added,
dig is now able to send DOH and DOT queries,
dig output now includes the transport protocol used


  • "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
  • Version numbers indicate that this feature was (or will be) introduced in the specified version, not in the first public release of the branch.
  • DNS COOKIE support was introduced in 9.10 as an experimental feature using the name SIT (server identity token). It can be enabled with --enable-sit in all Unix/Linux builds and is on by default in Windows. In 9.11 the name was changed to COOKIE and the feature is enabled by default in all builds.