Changes to be aware of when moving from BIND 9.18 to 9.20

New
  • Published on Jun 18, 2025
  • 3 minute(s) read
  • Greg Choules
  • Cathy Almond
  • DF
 Prev Next

Maintaining ISC's process of continuous improvement, there have been some major changes between BIND 9.18 and BIND 9.20. This article highlights the changes most likely to require changes in configuration or operator procedures. The intent is not to replace our advice that operators always pay attention to the Release Notes, but to quickly point operators to the most relevant aspects.

For more information on how features are deprecated and removed, and what those terms mean, see ISC's policy for removing named.conf options.

Changes

Inline signing

Changes around the inline-signing feature were made:

  • inline-signing can now also be set inside dnssec-policy, where it defaults to yes
  • If also set at the zone level, that overrides the setting in dnssec-policy
Use Caution With Existing DNSSEC Zones

Operators with existing DNSSEC-signed zones are advised to review their configuration with regards to zone content and DNSSEC signature maintenance. The new behavior may unexpectedly convert existing zones to inline-signed if defaults are kept.

Prior to BIND 9.20, if using dnssec-policy (or the legacy auto-dnssec maintain), it was required that either zone content was maintained using dynamic updates, or that the inline-signing feature was enabled (or both). If neither was set, named would report an invalid configuration.

As of BIND 9.20, all DNSSEC-signed zones configured to use dnssec-policy will now become inline-signed, unless explicitly configured not to have this feature enabled. This will also result in journal files alongside the zone files.

Operators wishing to avoid the above scenario following their upgrade should ensure that they have explicitly set inline-signing no as appropriate.

Operators who have not configured use of any dnssec-policy are not affected by this change.

For more information, see the DNSSEC Key and Signing Policy article.

Performance

BIND now uses a new in-memory database, known as QPDB (or QPzone or QPtrie, depending on which part of it you are looking at). The older in-memory database, RBTDB (red-black tree database) is still available, but is no longer the default.

Ongoing efforts to improve BIND's usage of CPU and RAM on modern hardware mean the resource consumption is likely to be different. Overall, the most common scenario is that BIND may use slightly more processor and memory than before, but it will use both much more efficiently as load increases. However, performance characteristics are highly dependent on individual circumstances. If performance is of particular concern, we recommend testing and gradual deployment, with careful monitoring.

Run-time configuration

  • allow-transfer now defaults to none
  • dnssec-validation
    • When set to yes, now requires explicit trust-anchors.
    • The default of auto is recommended for most resolvers.
  • Separate logging categories for notify and xfer-in are now used.
  • The options parental-agents and primaries now have a new preferred name remote-servers. The older names will continue to be supported as aliases.

Other

  • named-compilezone: Integrity checks are now omitted by default.

Deprecated

The following features or statements are now deprecated and will be removed in a future release. Their use is still supported for now, but may cause a warning to be emitted. Operators using these features should plan for their eventual removal.

  • Using NSEC3 with an iteration count other than 0 (zero) is no longer supported.
  • max-zone-ttl in the options or a zone block (use dnssec-policy instead).
  • sortlist.
  • rrset-order with a value of fixed.
  • DLZ (Dynamically Loadable Zones).

Removed

The following features have been removed entirely. Attempting to use them will result in an error or abort.

Run-time configuration

The following configuration items (as used in or included by named.conf) have been removed. Attempting to use them will cause an error and named will refuse to start.

  • auto-dnssec
  • dnskey-sig-validity
  • dnssec-dnskey-kskonly
  • dnssec-update-mode
  • sig-validity-interval
  • update-check-ksk
  • dnssec-secure-to-insecure
  • glue-cache
  • alt-transfer-source
  • alt-transfer-source-v6
  • use-alt-transfer-source
  • resolver-nonbackoff-tries
  • resolver-retry-interval
  • stale-answer-client-timeout == 0
  • keep-response-order
  • cookie-algorithm aes
  • delegation-only
  • root-delegation-only
  • coresize
  • datasize
  • files
  • stacksize
  • lock-file
  • dscp
  • ip_dscp

Build and libraries

The following have been removed:

  • Option --with-tuning to configure
  • Library libbind9 (replaced by libisc + libisccfg)
  • Library libirs (the only remaining export, irs_resconf, was moved to libdns)

Other

The following have also been removed:

  • -U command-line switch to named (number of UDP workers).
  • All configuration for DSCP (Differentiated Services Code Point).
  • Support for TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode).
  • Support for Microsoft Windows 2000 GSS-TSIG (including nsupdate with -o and/or oldgsstsig).

Further reading

Related articles