--- title: "BIND 9.11 Significant Changes" slug: "bind-911-branch" description: "This document summarizes new features and functional changes that have been introduced on the BIND 9.11 branch. With each release leading up to the final BIND 9.11.x release, this document will be updated with additional features added and bugs fixed. Some details included in the release notes published for each version have been deleted for brevity. The original release notes for each 9.11.x version are available in the ftp.isc.org archives." updated: 2023-01-18T20:30:54Z published: 2023-01-18T20:30:54Z deprecated: true --- > ## Documentation Index > Fetch the complete documentation index at: https://kb.isc.org/llms.txt > Use this file to discover all available pages before exploring further. # BIND 9.11 Significant Changes > **Deprecated.** This software version is EOL ### Introduction This document summarizes new features and functional changes that have been introduced on the BIND 9.11 branch. With each release leading up to the final BIND 9.11.x release, this document will be updated with additional features added and bugs fixed. Some details included in the release notes published for each version have been deleted for brevity. The original release notes for each 9.11.x version are available in the ftp.isc.org archives. ## Download The latest versions of BIND 9 software can always be found at [http://www.isc.org/downloads/](http://www.isc.org/downloads). There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. ## License Change With the release of BIND 9.11.0, ISC changed the open source license for BIND from the ISC license to the Mozilla Public License (MPL 2.0). This change was effective from BIND 9.11.0b1 onwards. The MPL-2.0 license requires that if you make changes to licensed software (e.g. BIND) and distribute them outside your organization, that you publish those changes under that same license. It does not require that you publish or disclose anything other than the changes you made to our software. This new requirement will not affect anyone who is using BIND without redistributing it, nor anyone redistributing it without changes, therefore this change will be without consequence for most individuals and organizations who are using BIND. Those unsure whether or not the license change affects their use of BIND, or who wish to discuss how to comply with the license may contact ISC at [https://www.isc.org/mission/contact/](https://www.isc.org/mission/contact). ## Security Fixes - It was possible to trigger a assertion when rendering a message using a specially crafted request. This flaw is disclosed in CVE-2016-2776. [RT #43139] - getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwresd and named with lwres configured if when combined with a search list entry the resulting name is too long. This flaw is disclosed in CVE-2016-2775. [RT #42694] --- ## New Features ## Catalog Zones - A new method of provisioning secondary servers called "Catalog Zones" has been added. This is an implementation of [draft-muks-dnsop-dns-catalog-zones/](https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones). A catalog zone is a regular DNS zone which contains a list of "member zones", along with the configuration options for each of those zones. When a server is configured to use a catalog zone, all the zones listed in the catalog zone are added to the local server as slave zones. When the catalog zone is updated (e.g., by adding or removing zones, or changing configuration options for existing zones) those changes will be put into effect. Since the catalog zone is itself a DNS zone, this means configuration changes can be propagated to slaves using the standard AXFR/IXFR update mechanism. This feature should be considered experimental. It currently supports only basic features; more advanced features such as ACLs and TSIG keys are not yet supported. Example catalog zone configurations can be found in the Chapter 9 of the BIND Administrator Reference Manual. Support for master entries with TSIG keys has been added to catalog zones, as well as support for allow-query and allow-transfer. - Added an **isc.rndc** Python module, which allows **rndc** commands to be sent from Python programs. - Added support for DynDB, a new interface for loading zone data from an external database, developed by Red Hat for the FreeIPA project. (Thanks in particular to Adam Tkac and Petr Spacek of Red Hat for the contribution.) Unlike the existing DLZ and SDB interfaces, which provide a limited subset of database functionality within BIND — translating DNS queries into real-time database lookups with relatively poor performance and with no ability to handle DNSSEC-signed data — DynDB is able to fully implement and extend the database API used natively by BIND. A DynDB module could pre-load data from an external data source, then serve it with the same performance and functionality as conventional BIND zones, and with the ability to take advantage of database features not available in BIND, such as multi-master replication. ## Resolver fetch limits - Fetch quotas are now compiled in by default: they no longer require BIND to be configured with **--enable-fetchlimit** , as was the case when the feature was introduced in BIND 9.10.3. These quotas limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. They can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursive servers when they are being used as a vehicle for such an attack. - `fetches-per-server` limits the number of simultaneous queries that can be sent to any singleauthoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the `fetch-quota-params` option. - `fetches-per-zone` limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. ## dnstap - Added support for **dnstap** , a fast, flexible method for capturing and logging DNS traffic, developed by Robert Edmonds at Farsight Security, Inc., whose assistance is gratefully acknowledged. To enable **dnstap** at compile time, the **fstrm** and **protobuf-c** libraries must be available, and BIND must be configured with `--enable-dnstap`. A new utility **dnstap-read** has been added to allow **dnstap** data to be presented in a human-readable format. **rndc dnstap -roll** causes **dnstap** output files to be rolled like log files -- the most recent output file is renamed with a `.0` suffix, the next most recent with `.1`, etc. (Note that this only works when **dnstap** output is being written to a file, not to a UNIX domain socket.) An optional numerical argument specifies how many backup log files to retain; if not specified or set to 0, there is no limit. **rndc dnstap -reopen** simply closes and reopens the **dnstap** output channel without renaming the output file. For more information on **dnstap** , see [http://dnstap.info](http://dnstap.info/). - New statistics counters have been added to track traffic sizes, as specified in RSSAC002. Query and response message sizes are broken up into ranges of histogram buckets: TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+, and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095, and 4096+. These values can be accessed via the XML and JSON statistics channels at, for example, [http://localhost:8888/xml/v3/traffic](http://localhost:8888/xml/v3/traffic) or [http://localhost:8888/json/v1/traffic](http://localhost:8888/json/v1/traffic). Statistics for RSSAC02v3 traffic-volume, traffic-sizes and rcode-volume reporting are now collected. ### DNSSEC Key Management Utility - A new DNSSEC key management utility, **dnssec-keymgr** , has been added. This tool is meant to run unattended (e.g., under **cron** ). It reads a policy definition file (default `/etc/dnssec-policy.conf`) and creates or updates DNSSEC keys as necessary to ensure that a zone's keys match the defined policy for that zone. New keys are created whenever necessary to ensure rollovers occur correctly. Existing keys' timing metadata is adjusted as needed to set the correct rollover period, prepublication interval, etc. If the configured policy changes, keys are corrected automatically. See the **dnssec-keymgr** man page for full details. Note: **dnssec-keymgr** depends on Python and onthe Python lex/yacc module, PLY. The other Python-based tools, **dnssec-coverage** and **dnssec-checkds**, have been refactored and updated as part of this work. **dnssec-keymgr** now takes a -r *`randomfile`* option. (Many thanks to Sebastián Castro for his assistance in developing this tool at the IETF 95 Hackathon in Buenos Aires, April 2016.) - The serial number of a dynamically updatable zone can now be set using **rndc signing -serial *`number`* *`zonename`*** . This is particularly useful with `inline-signing` zones that have been reset. Setting the serial number to a value larger than that on the slaves will trigger an AXFR-style transfer. - When answering recursive queries, SERVFAIL responses can now be cached by the server for a limited time; subsequent queries for the same query name and type will return another SERVFAIL until the cache times out. This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive servers. The SERVFAIL cache timeout is controlled by `servfail-ttl`, which defaults to 1 second and has an upper limit of 30. - The new **rndc nta** command can now be used to set a "negative trust anchor" (NTA), disabling DNSSEC validation for a specific domain; this can be used when responses from a domain are known to be failing validation due to administrative error rather than because of a spoofing attack. NTAs are strictly temporary; by default they expire after one hour, but can be configured to last up to one week. The default NTA lifetime can be changed by setting the `nta-lifetime` in `named.conf`. When added, NTAs are stored in a file (`*`viewname`* .nta`) in order to persist across restarts of the **named** server. - The EDNS Client Subnet (ECS) option is now supported for authoritative servers; if a query contains an ECS option then ACLs containing `geoip` or `ecs`elements can match against the address encoded in the option. This can be used to select a view for a query, so that different answers can be provided depending on the client network. - The EDNS EXPIRE option has been implemented on the client side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave server. - A new `masterfile-style` zone option controls the formatting of text zone files: When set to `full`, the zone file will dumped in single-line-per-record format. - ## Tools and Utilities ### dig - **dig +ednsopt** can now be used to set arbitrary EDNS options in DNS requests. - **dig +ednsflags** can now be used to set yet-to-be-defined EDNS flags in DNS requests. - **dig +[no]ednsnegotiation** can now be used enable / disable EDNS version negotiation. - **dig +header-only** can now be used to send queries without a question section. - **dig +ttlunits** causes **dig** to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds. - **dig +zflag** can be used to set the last unassigned DNS header flag bit. This bit is normally zero. - **dig +dscp= *`value`*** can now be used to set the DSCP code point in outgoing query packets. - **dig +mapped** can now be used to determine if mapped IPv4 addresses can be used. - **nslookup** will now look up IPv6 as well as IPv4 addresses by default. [RT #40420] - `serial-update-method` can now be set to `date`. On update, the serial number will be set to the current date in YYYYMMDDNN format. - **dnssec-signzone -N date** also sets the serial number to YYYYMMDDNN. - **named -L *`filename`*** causes **named** to send log messages to the specified file by default instead of to the system log. - The rate limiter configured by the `serial-query-rate` option no longer covers NOTIFY messages; those are now separately controlled by `notify-rate` and `startup-notify-rate` (the latter of which controls the rate of NOTIFY messages sent when the server is first started up or reconfigured). - The default number of tasks and client objects available for serving lightweight resolver queries have been increased, and are now configurable via the new `lwres-tasks` and `lwres-clients` options in `named.conf`. [RT #35857] - Log output to files can now be buffered by specifying **buffered yes;** when creating a channel. - **delv +tcp** will exclusively use TCP when sending queries. - **named** will now check to see whether other name server processes are running before starting up. This is implemented in two ways: 1) by refusing to start if the configured network interfaces all return "address in use", and 2) by attempting to acquire a lock on a file specified by the `lock-file` option or the **-X** command line option. The default lock file is `/var/run/named/named.lock`. Specifying `none` will disable the lockfile check. ### rndc and dynamic zones - **rndc delzone** can now be applied to zoneswhich were configured in `named.conf`; it is no longer restricted to zones which were added by **rndc addzone** . (Note, however, that this does not edit `named.conf`; the zone must be removed from the configuration or it will returnwhen **named** is restarted or reloaded.) - **rndc modzone** can be used to reconfigure a zone, using similar syntax to **rndc addzone** . - **rndc showzone** displays the current configuration for a specified zone. - When BIND is built with the **lmdb** library(Lightning Memory-Mapped Database), **named** will store the configuration information for zones that are added via **rndc addzone** in a database, rather than in a flat "NZF" file. This dramatically improves performance for **rndc delzone** and **rndc modzone** : deleting or changing the contents of a database is much faster than rewritinga text file. On startup, if **named** finds an existing NZF file, it will automatically convert it to the new NZD database format. To view the contents of an NZD, or to convert anNZD back to an NZF file (for example, to revert back to an earlier version of BIND which did not support the NZD format), use the new command **named-nzd2nzf** [RT #39837] - Added server-side support for pipelined TCP queries. Clientsmay continue sending queries via TCP while previous queries are processed in parallel. Responses are sent when they areready, not necessarily in the order in which the queries were received. To revert to the former behavior for a particular client address or range of addresses, specify the address prefix in the "keep-response-order" option. To revert to the former behavior for all clients, use "keep-response-order { any; };". - To enable better monitoring and troubleshooting of RFC 5011 trust anchor management, the new **rndc managed-keys** can be used to check status of trust anchors or to force keys to be refreshed. Also, the managed-keys data file now has easier-to-read comments. [RT #38458] - An **--enable-querytrace** configure switch is now available to enable very verbose query trace logging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. [RT #37520] - A new **tcp-only** option can be specified in **server** statements to force **named** to connect to the specified server via TCP. [RT #37800] - The **nxdomain-redirect** option specifies a DNS namespace to use for NXDOMAIN redirection. When a recursive lookup returns NXDOMAIN, a second lookup is initiated with the specified name appended to the query name. This allows NXDOMAIN redirection data to be supplied by multiple zones configured on the server, or by recursive queries to other servers. (The older method, using a single **type redirect** zone, has better average performance but is less flexible.) [RT #37989] - The following types have been implemented: CSYNC, NINFO, RKEY, SINK, TA, TALINK. - A new **message-compression** option can be used to specify whether or not to use name compression when answering queries. Setting this to **`no`** results in larger responses, but reduces CPU consumption and may improve throughput. The default is **`yes`** . - A **read-only** option is now available in the **controls** statement to grant non-destructive control channel access. In such cases, a restricted set of **rndc** commands are allowed, which can report information from **named** , but cannot reconfigure or stop the server. By default, the control channel access is *not* restricted to these read-only operations. [RT #40498] - When loading a signed zone, **named** will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately. This helps when a system's clock needs to be reset backwards. - The new **minimal-any** option reduces the size of answers to UDP queries for type ANY by implementing one of the strategies in "draft-ietf-dnsop-refuse-any": returning a single arbitrarily-selected RRset that matches the query name rather than returning all of the matching RRsets. Thanks to Tony Finch for the contribution. [RT #41615] - **named** now provides feedback to the owners of zones which have trust anchors configured (**trusted-keys** , **managed-keys** , **dnssec-validation auto;** and **dnssec-lookaside auto;** ) by sending a daily query which encodes the keyids of the configured trust anchors for the zone. This is controlled by **trust-anchor-telemetry** and defaults to yes. ### Feature Changes - The logging format used for **querylog** has been altered. It now includes an additional field indicating the address in memory of the client object processing the query. The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to be disabled in 2017. A warning is now logged when **named** is configured to use this service, either explicitly or via `dnssec-lookaside auto;`. [RT #42207] - The timers returned by the statistics channel (indicating current time, server boot time, and most recent reconfiguration time) are now reported with millisecond accuracy. [RT #40082] - Updated the compiled-in addresses for H.ROOT-SERVERS.NET and L.ROOT-SERVERS.NET. - ACLs containing **geoip asnum** elements were not correctly matched unless the full organization name was specified in the ACL (as in **geoip asnum "AS1234 Example, Inc.";** ). They can now match against the AS number alone (as in **geoip asnum "AS1234";** ). - When using native PKCS#11 cryptography (i.e., **configure --enable-native-pkcs11** ) HSM PINs of up to 256 characters can now be used. - NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) - Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates. - By default, **nsupdate** will now check the correctness of hostnames when adding records of type A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be disabled with **check-names no** . - Added support for OPENPGPKEY type. - The names of the files used to store managed keys and added zones for each view are no longer based on the SHA256 hash of the view name, except when this is necessary because the view name contains characters that would be incompatible with use as a file name. For views whose names do not contain forward slashes ('/'), backslashes (''), or capital letters - which could potentially cause namespace collision problems on case-insensitive filesystems - files will now be named after the view (for example, `internal.mkeys` or `external.nzf`). However, to ensure consistent behavior when upgrading, if a file using the old name format is found to exist, it will continue to be used. - "rndc" can now return text output of arbitrary size to the caller. (Prior to this, certain commands such as "rndc tsig-list" and "rndc zonestatus" could return truncated output.) - Errors reported when running **rndc addzone** (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. - When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. - If **named** is not configured to validate answers, then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. - Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures *`number`* ;". [RT #37927] - The experimental SIT option (code point 65001) of BIND 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE option (code point 10). It is no longer experimental, and is sent by default, by both **named** and **dig** . The SIT-related named.conf options have been marked as obsolete, and are otherwise ignored. - When **dig** receives a truncated (TC=1) response or a BADCOOKIE response code from a server, it will automatically retry the query using the server COOKIE that was returned by the server in its initial response. [RT #39047] - Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. - A new `nsip-wait-recurse` directive has been added to RPZ, specifying whether to look up unknown name server IP addresses and wait for a response before applying RPZ-NSIP rules. The default is **`yes`** . If set to **`no`** , **named** will only apply RPZ-NSIP rules to servers whose addresses are already cached. The addresses will be looked up in the background so the rule can be applied on subsequent queries. This improves performance when the cache is cold, at the cost of temporary imprecision in applying policy directives. [RT #35009] - Within the `response-policy` option, it is now possible to configure RPZ rewrite logging on a per-zone basis using the `log` clause. - The default preferred glue is now the address type of the transport the query was received over. - On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one. - Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage. - Added support for the AVC resource record type (Application Visibility and Control). - Changed **rndc reconfig** behavior so that newly added zones are loaded asynchronously and the loading does not block the server. - **minimal-responses** now takes two new arguments: `no-auth` suppresses populating the authority section but not the additional section; `no-auth-recursive` does the same but only when answering recursive queries. - At server startup time, the queues for processing notify and zone refresh queries are now processed in LIFO rather than FIFO order, to speed up loading of newly added zones. [RT #42825] - When answering queries of type MX or SRV, TLSA records for the target name are now included in the additional section to speed up DANE processing. [RT #42894] - **named** can now use the TCP Fast Open mechanism on the server side, if supported by the local operating system. [RT #42866] --- ## Bug Fixes - Fixed a crash when calling **rndc stats** on some Windows builds: some Visual Studio compilers generate code that crashes when the "%z" printf() format specifier is used. [RT #42380] - Windows installs were failing due to triggering UAC without the installation binary being signed. - A change in the internal binary representation of the RBT database node structure enabled a race condition to occur (especially whenBIND was built with certain compilers or optimizer settings), leading to inconsistent database state which caused random assertion failures. [RT #42380] ## End of Life This branch of BIND will be maintained through the December, 2021. [https://www.isc.org/downloads/software-support-policy/](https://www.isc.org/downloads/software-support-policy) ### Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at [http://www.isc.org/donate/](http://www.isc.org/donate).