--- title: "BIND 9 Significant Features Matrix" slug: "aa-01310" description: "BIND 9 Significant Features Matrix" tags: ["features", "delv", "tcp", "named", "mirror zones", "cookies", "dnstap", "dyndb", "qname minimization", "rpz", "cdskey", "nxdomain", "negative trust anchor", "tsig", "cds", "servfail", "bind 9", "pkcs11", "mdig", "ecs", "isc", "catalog zone", "keygen", "edns", "ddos", "rndc", "mitigation", "geoip", "dnssec", "serve stale", "rrchecker"] status: "update" updated: 2026-06-11T20:58:39Z published: 2026-06-11T20:58:39Z canonical: "kb.isc.org/aa-01310" --- > ## Documentation Index > Fetch the complete documentation index at: https://kb.isc.org/llms.txt > Use this file to discover all available pages before exploring further. # BIND 9 Significant Features Matrix This table lists the major feature differences among the current supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans, where features overlap with already-released branches). We also describe the deprecated and obsolete features and utilities in the smaller tables below. Please see also [this ISC KB article](https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-911-to-916) on upgrading from BIND 9.11 to 9.16, [this ISC KB article](https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918) on upgrading from BIND 9.16 to 9.18 and [this ISC KB article](https://kb.isc.org/docs/bind-920-changes) on upgrading from BIND 9.18 to 9.20. These tables do not include changes in the build environment or platform support. Those requirements are included in the [platforms.md](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/PLATFORMS.md) file at the top level of the BIND distribution. BIND -S software The ["-S" (stable preview) editions](https://www.isc.org/docs/BIND-9-S-Edition.pdf) are available to ISC customers with certain paid support contracts, and offer some features that are not included in the open source. #### Refactoring BIND's interface to the network was refactored during the 9.15 and 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used `libuv` library. While this did not result in any *feature* changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See [this article](https://kb.isc.org/docs/bind-memory-consumption-explained) for details. **Notes:** - "all" indicates that this feature was (or will be) introduced in the first public release of this branch. - Version numbers indicate that this feature was (or will be) introduced in the specified version, rather than in the first public release of the branch. ### Major Features Added or Changed | Feature | 9.20 stable | 9.20-S stable | 9.18 EoL | 9.18-S EoL | 9.16 EoL | 9.16-S EoL | | --- | --- | --- | --- | --- | --- | --- | | BIND Modules: plug-in support for query processing | | | now asynchronous | now asynchronous | added (9.13.2) | all | | **cdnskey** option in **dnssec-policy**, to permit or deny publication of CDNSKEY RRs. | new | new | - | - | - | - | | **cds-digest-types** option in **dnssec-policy**, to allow configuration of digest types for CDS RRs. | new | new | - | - | - | - | | **check-svcb** option, for additional SVCB RR checking. | new | new | - | - | - | - | | [DNS COOKIE](https://kb.isc.org/docs/aa-01387) | | | all | all | updated in 9.16.10 | updated in 9.16.10-S | | **delve +ns** more accurately mimics BIND behaviour. | new | new | - | - | - | - | | DNS over HTTPS (DoH) [(RFC 8484)](https://datatracker.ietf.org/doc/rfc8484) | | | all | all | - | - | | DNS over TLS (DoT) [(RFC 7858)](https://datatracker.ietf.org/doc/rfc7858) | | | all | all | - | - | | DNSSEC validation | auto | auto | auto | auto | default changed from yes to auto | auto | | **dnssec-keygen -f** and **dnssec-keygen -k** can be used together. | new | new | - | - | - | - | | **dnssec-ksr** utility for creation of Key Signing Request (KSR) and Signed Key Response (SKR) files. | new | new | - | - | - | - | | DNSSEC multi-signer model 2 RFC8901 support in **inline-signing** | new | new | - | - | - | - | | **dnssec-signzone -G** can be used to control publiction of specific CDS and CDNSKEY RRs | new | new | - | - | - | - | | **dnssec-verify -J** and **dnssec-signzone -J** for reading journal files. | new | new | - | - | - | - | | **dnstap-read** prints long timestamps with millisecond precision. It can also understand Dot and DoH entries. | new | new | - | - | - | - | | dnstap emits distinct entries for DoT and DoH queries. | new | new | - | - | - | - | | EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) | | | all | all | 9.16.8 | 9.16.8 | | EDNS Client-Subnet (ECS) for resolver | - | all | - | all | - | all, updated 9.16.10-S | | EDNS Client-Subnet (ECS) option support for authoritative servers | - | - | - | - | removed | removed | | EDNS EXPIRE option now includes AXFR and IXFR | new | new | - | - | - | - | | Extended Errors [(RFC 8914)](https://datatracker.ietf.org/doc/rfc8914) | #1, #2, #4, #7, #8 #15, #16, #17 #20, #22 | #1, #2, #4, #7, #8 #15, #16, #17 #20, #22 | #3, #18, #19 | #18 | - | - | | **ede** option for **response-policy**, to support Extended DNS Errors. | new | new | - | - | - | - | | Forwarding using TLS to DoT-enabled servers, including forwarding of dynamic updates. | new | new | - | - | - | - | | IXFR size limits | | | all | all | new **max-ixfr-ratio** option | all | | **key-store** option in **dnssec-policy** for HSM support | new | new | - | - | - | - | | **offline-ksk** option for **dnssec-policy** | new | new | - | - | - | - | | [min-transfer-rate-in](https://downloads.isc.org/isc/bind9/9.20.10/doc/arm/html/reference.html#namedconf-statement-min-transfer-rate-in) | new | new | - | - | - | - | | [notify-defer](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-notify-defer) | new | new | - | - | - | - | | answer synthesis from cached NSEC [(RFC 8198)](https://datatracker.ietf.org/doc/rfc8198/)) | | | modified, re-enabled by default | modified, re-enabled by default | present, disabled by default | present, disabled by default | | **recursive high-water** statistics-channel counter, to show the maximum number of recursive clients handled so far during this run | new | new | - | - | - | - | | **require-cookie** option, for fallback to TCP if a remote server does not provide DNS cookies over UDP. | new | new | - | - | - | - | | **resolver-use-dns64** option, to allow resolvers to use DNS64 addresses directly, e.g. through a NAT64 gateway. | new | new | - | - | - | - | | New RRs | WALLET | WALLET | HTTPS, SVCB | HTTPS, SVCB | - | - | | **rndc -t** to specify command timeout. | new | new | - | - | - | - | | **rndc fetchlimit** reports servers currently rate-limited | new | new | - | - | - | - | | **rndc status** shows the number of zones in their first refresh cycle, either pending or active. | new | new | - | - | - | - | | **source** and **source-v6** options can be used to replace ***-source**and ***-source-v6** options.**** | new | new | - | - | - | - | | Performance: minimal responses [(RFC 8482)](https://datatracker.ietf.org/doc/rfc8482) | | | all | all | added | added | | Performance: pipelined TCP queries (server side) [(RFC 7766)](https://datatracker.ietf.org/doc/rfc7766) | | | all | all | - | all | | PROXYv2 support, in both BIND and DiG | new | new | - | - | - | - | | RPZ-passthru new logging channel | | | all | all | - | - | | RPZ: Response Policy Service **API** | | | all | all | new | new | | Support for libsystemd's sd_notify() function, allowing **systemd** to know the status of **named**. | new | new | - | - | - | - | | [Serve Stale](https://kb.isc.org/docs/serve-stale-implementation-details) | | | see [KB](https://kb.isc.org/docs/serve-stale-implementation-details) | see [KB](https://kb.isc.org/docs/serve-stale-implementation-details) | all, updated 9.16.9, 9.16.13 | all, updated 9.16.9-S, 9.16.13-S | | TLSv1.3 cipher suites added. | new | new | - | - | - | - | | Umbrella PROTOSS EDNS option | - | all | - | all | - | all | | User Statically Defined Tracing (USDT) probes. | new | new | - | - | - | - | | Zone transfer over TLS, aka XoT [(RFC 9103)](https://datatracker.ietf.org/doc/rfc9103) | | | new | new | - | - | ### Features Removed (or Planned for Removal) In the following table, "deprecated" means that the option is still usable, but its use is discouraged because it will be obsoleted in a future version. Typically, use of deprecated features generates a warning. Removing features reduces complexity which is a major factor in stabilizing the software. Most of the features that are deprecated are little-used, and some are actually considered harmful in modern deployments, even if they once seemed like a good idea. "Obsolete"/Removed" options are no longer in use: they are either ignored or named.conf will not load with them. We have a [policy for removing options by a phased process](https://kb.isc.org/docs/policy-for-removing-namedconf-options): the phases are (1) community comment, (2) deprecation, (3) obsolescence. However, some of these changes occurred before that policy was established; those are the options that are marked as "removed." | Feature | 9.24 | 9.22 | 9.20 table | 9.18 EoL | 9.16 EoL | | --- | --- | --- | --- | --- | --- | | **acache cleaning-interval**, **acache enable**, **additional from auth**, **additional from cache** | - | - | - | - | additional data now recorded in main cache | | **alt-transfer-source**, **alt-transfer-source-v6** and **use-alt-transfer-source** | - | - | obsolete | | | | **auto-dnssec** | - | - | removed | | | | **cleaning-interval** | - | - | - | - | removed | | Compiling with jemalloc versions older than 4.0.0 | | -- | removed | | | | Configuration of UNIX domain sockets for the control channel | - | - | obsolete | | | | Configure option **--enable-fixed-rrset** | | | deprecated | | | | Configure option **--with-tuning** | - | - | obsolete | | | | **coresize**, **datasize**, **files** and **stacksize** options | - | - | obsolete | | | | **delegation-only** and **root-delegation-only** | - | - | obsolete | deprecated | | | DLZ drivers (DLZ *modules* unaffected) | - | - | - | deprecated in 9.17.19, to be removed in 9.18 | | | DNS COOKIE algorithm AES | - | - | obsolete | | | | DNSSEC algorithms 1, 3, 6, and 12 (RSAMD5, DSA, DSA-NSEC-SHA1, and ECC-GOST) | - | - | - | - | - | | **dnskey-sig-validity** | - | - | removed | | | | **dnssec-dnskey-kskonly** | - | - | removed | | | | **dnssec-enable** | - | - | - | obsolete | obsolete | | **dnssec-must-be-secure** | - | fatal error, obsolete | deprecation warning | insecure answers will be accepted with NTA | insecure answers will be accepted with NTA | | **dnssec-secure-to-insecure** | - | - | obsolete | | | | **dnssec-update-mode** | - | - | removed | | | | DSCP | - | - | obsolete | deprecated/non-operational | deprecated/non-operational | | **glue-cache** option | - | - | obsolete (glue cache is now permanently enabled) | | | | **keep-response-order** | - | - | obsolete | | | | libbind9 shared library | - | - | obsolete | | libirs library | - | - | obsolete | - | - | | **lock-file** | - | - | obsolete | | | | map zone file format | - | - | - | removed | deprecated | | **max-zone-ttl** | | | deprecated | | | | **named -U** | - | - | obsolete | | **named -X** | - | - | obsolete | | | | **nsupdate -o** | | | deprecated | | | | **oldgsstsig** | | | deprecated | | | | Native PKCS#11 | - | - | - | removed in 9.18, replaced with OpenSC PKCS#11 | deprecated | | **resolver-nonbackoff-tries** and **resolver-retry-interval** | - | - | obsolete | | | | **rrset-order fixed** | | | deprecated | | | | **sig-validity-interval** | - | - | removed | | | | **sortlist** | | | deprecated | | | | Source ports: explicit definition of source ports for outgoing connections: specifying **port** in following statements **query-source**, **query-source-v6**, **transfer-source**, **transfer-source-v6**, **notify-source**, **notify-source-v6**, **parental-source**, **parental-source-v6**; or in the following statements as whole: **use-v4-udp-ports**, **use-v6-udp-ports**, **avoid-v4-udp-ports**, **avoid-v6-udp-ports** | - | obsolete | deprecated | | discouraged as it implicitly disables source port randomization | | **stale-answer-client-timeout** values >0 | - | - | obsolete | | | | TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) | - | - | obsolete and will cause a fatal error | | | | TKEY mode 2, switch to TKEY Mode 3 (GSS-API) | - | - | removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH | deprecated, tkey-dhkey will warn | | | Triggering of key rollovers and denial-of-existence operations due to dynamic updates that add and remove DNSKEY and NSEC3PARAM records. | - | - | obsolete | | | | **update-check-ksk** | - | - | removed | | | | UNIX Domain sockets | - | - | fatal error in named and named-checkconf | fatal error in named | | | Windows 32-bit support | - | - | - | obsolete | deprecated | | Zone type **delegation-only**, and the **delegation-only** and **root-delegation-only** statements | - | - | obsolete | deprecated (9.18.4) | | ### Utilities | Utility | 9.18 | 9.16 | 9.16-S | 9.11 | 9.11-S | | --- | --- | --- | --- | --- | --- | | dig | +unexpected removed, +qid= and +dns64prefix added; dig is now able to send DOH and DOT queries; dig output now includes the transport protocol used | all | all | all | all | | dnssec-cds | all | all | all | --- | --- | ## Related - [BIND 9.16 Significant Changes](/changes-to-be-aware-of-when-moving-from-911-to-916.md) - [BIND Memory Consumption Explained](/bind-memory-consumption-explained.md) - [BIND 9.18 Significant Changes](/changes-to-be-aware-of-when-moving-from-bind-916-to-918.md)