--- title: "BIND 9.20 Significant Changes" slug: "bind-920-changes" description: "Changes in BIND 9.20 that operators should be aware of" tags: ["BIND 9.20", "DNSSEC Policy", "Inline Signing", "Upgrading"] updated: 2026-03-23T19:59:46Z published: 2026-03-23T19:59:46Z --- > ## Documentation Index > Fetch the complete documentation index at: https://kb.isc.org/llms.txt > Use this file to discover all available pages before exploring further. # BIND 9.20 Significant Changes Maintaining ISC's process of continuous improvement, there have been some major changes between BIND 9.18 and BIND 9.20. This article highlights the changes most likely to require changes in configuration or operator procedures. The intent is not to replace our advice that operators always pay attention to the [Release Notes](https://downloads.isc.org/isc/bind9/cur/9.20/doc/arm/html/notes.html), but to quickly point operators to the most relevant aspects. For more information on how features are *deprecated* and *removed*, and what those terms mean, see [ISC's policy for removing named.conf options](https://kb.isc.org/docs/policy-for-removing-namedconf-options). ## Changes ### Inline signing Changes around the `inline-signing` feature were made: - `inline-signing` can now also be set inside `dnssec-policy`, where it defaults to **yes** - If also set at the `zone` level, that overrides the setting in `dnssec-policy` Use Caution With Existing DNSSEC Zones Operators with existing DNSSEC-signed zones are advised to review their configuration with regards to zone content and DNSSEC signature maintenance. The new behavior may unexpectedly convert existing zones to inline-signed if defaults are kept. Prior to BIND 9.20, if using `dnssec-policy` (or the legacy `auto-dnssec maintain`), it was required that ***either*** zone content was maintained using dynamic updates, ***or*** that the `inline-signing` feature was enabled (or both). If ***neither*** was set, `named` would report an invalid configuration. As of BIND 9.20, all DNSSEC-signed zones configured to use `dnssec-policy` will now become inline-signed, unless explicitly configured ***not*** to have this feature enabled. This will also result in [journal files](https://bind9.readthedocs.io/en/v9.20.0/chapter6.html#the-journal-file) alongside the zone files. Operators wishing to avoid the above scenario following their upgrade should ensure that they have explicitly set `inline-signing no` as appropriate. Operators who have not configured use of any `dnssec-policy` are not affected by this change. For more information, see the [DNSSEC Key and Signing Policy](https://kb.isc.org/docs/dnssec-key-and-signing-policy) article. ### Performance BIND now uses a new in-memory database, known as QPDB (or QPzone or QPtrie, depending on which part of it you are looking at). The older in-memory database, RBTDB (red-black tree database) is still available, but is no longer the default. Ongoing efforts to improve BIND's usage of CPU and RAM on modern hardware mean the resource consumption is likely to be different. Overall, the most common scenario is that BIND may use slightly more processor and memory than before, but it will use both much more efficiently as load increases. However, performance characteristics are highly dependent on individual circumstances. If performance is of particular concern, we recommend testing and gradual deployment, with careful monitoring. ### Run-time configuration - `allow-transfer` now defaults to `none` - `dnssec-validation` - When set to `yes`, now requires explicit `trust-anchors`. - The default of `auto` is recommended for most resolvers. - Separate logging categories for `notify` and `xfer-in` are now used. - The options `parental-agents` and `primaries` now have a new preferred name `remote-servers`. The older names will continue to be supported as aliases. ### Other - `named-compilezone`: Integrity checks are now omitted by default. ## Deprecated The following features or statements are now deprecated and will be removed in a future release. Their use is still supported for now, but may cause a warning to be emitted. Operators using these features should plan for their eventual removal. - Using `NSEC3` with an iteration count other than 0 (zero) is no longer supported. - `max-zone-ttl` in the `options` or a `zone` block (use `dnssec-policy` instead). - `sortlist`. - `rrset-order` with a value of `fixed`. - DLZ (Dynamically Loadable Zones). ## Removed The following features have been removed entirely. Attempting to use them will result in an error or abort. ### Run-time configuration The following configuration items (as used in or included by `named.conf`) have been removed. Attempting to use them will cause an error and `named` will refuse to start. - `auto-dnssec` - `dnskey-sig-validity` - `dnssec-dnskey-kskonly` - `dnssec-update-mode` - `sig-validity-interval` - `update-check-ksk` - `dnssec-secure-to-insecure` - `glue-cache` - `alt-transfer-source` - `alt-transfer-source-v6` - `use-alt-transfer-source` - `resolver-nonbackoff-tries` - `resolver-retry-interval` - [`stale-answer-client-timeout`](https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-stale-answer-client-timeout) with a value other than `0` (zero) or `off` - `keep-response-order` - `cookie-algorithm aes` - `delegation-only` - `root-delegation-only` - `coresize` - `datasize` - `files` - `stacksize` - `lock-file` - `dscp` - `ip_dscp` ### Build and libraries The following have been removed: - Option `--with-tuning` to `configure` - Library `libbind9` (replaced by `libisc` + `libisccfg`) - Library `libirs` (the only remaining export, `irs_resconf`, was moved to `libdns`) ### Other The following have also been removed: - `-U` command-line switch to `named` (number of UDP workers). - All configuration for DSCP (Differentiated Services Code Point). - Support for TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode). - Support for Microsoft Windows 2000 GSS-TSIG (including `nsupdate` with `-o` and/or `oldgsstsig`). ## Further reading - [BIND 9.20 Release Notes](https://downloads.isc.org/isc/bind9/cur/9.20/doc/arm/html/notes.html) - Covers these changes in more depth, and also addresses new features and bug fixes - [BIND 9.20 Change Log](https://downloads.isc.org/isc/bind9/cur/9.20/doc/arm/html/changelog.html) - Detailed itemization of every change - [BIND 9 Significant Features Matrix](https://kb.isc.org/docs/aa-01310) - Comparison table across BIND major versions ## Related - [BIND 9.16 Significant Changes](/changes-to-be-aware-of-when-moving-from-911-to-916.md) - [BIND 9 Significant Features Matrix](/aa-01310.md) - [BIND 9.18 Significant Changes](/changes-to-be-aware-of-when-moving-from-bind-916-to-918.md)