-
Print
-
PDF
Changes to be aware of when moving from BIND 9.11 to 9.16
There were a lot of fundamental changes in BIND between the two currently previously supported ESV versions - 9.11 and 9.16. This article summarises what those changes are so that you can go into upgrades with eyes open, knowing which features are likely to affect your installation and what parameters you might need to adjust.
This article is still under construction. We will add more detail about impacts of the changes listed as we learn about them.
Major changes in 9.16 include:
- Replacement of the ISC proprietary network code with the Linux libuv library. This was done in part to support the development of alternative new transports (DNS over TLS and DNS over HTTPS), but also to modernize network handling.
- Development of the new Key and Signing Policy (KASP) tool which substantially modernized DNSSEC maintenance for authoritative operators.
- Qname minimization, which is enabled by default.
- Serve-stale, which was added then modified several times as we learned about adverse impacts in deployment.
Update as of BIND 9.16.43. Memory usage in BIND 9.16 at the end of its development was still higher than in 9.11.
Edit as of BIND 9.16.23. At the time of writing this, BIND 9.16 consumes significantly more memory than BIND 9.11. We expect to improve the memory efficiency of 9.16 in coming maintenance releases, but it is likely that even after optimization, 9.16 will require somewhat more memory than 9.11.
The BIND team maintains a Changes log which should include all major changes. To help those who are updating directly from 9.11 to 9.16, we analyzed the options definitions for 9.11.36 and 9.16.23.
The comparison is presented as a table, with a sorted list of features in the first column and the default values for that feature in subsequent columns, for 9.11(-S) and 9.16(-S) versions. The notes column adds some background information, or in some cases links to other articles.
In most cases, features are configurable parameters in named.conf
with the literal defaults in "quotes" followed by a unit, where necessary. For example, "3600"s
means 3,600 seconds, or one hour. ISO8601 duration formats are also accepted for some options, so 1 day could be represented by P1D
Features in bold are general changes.
Features in italics are build time options.
feature | 9.11 | 9.11-S | 9.16 | 9.16-S | notes |
---|---|---|---|---|---|
--enable-ipv6 | Building with IPv6 support had to be enabled specifically | Building with IPv6 support had to be enabled specifically | IPv6 support is now enabled by default and this build option does nothing | IPv6 support is now enabled by default and this build option does nothing | |
--enable-threads | Building with support for multi-threading had to be enabled specifically | Building with support for multi-threading had to be enabled specifically | Multi-threaded support is now enabled by default and this option does nothing | Multi-threaded support is now enabled by default and this option does nothing | |
--with-openssl | Not enabled by default | Not enabled by default | Always enabled. The default location can be overridden with this build option | Always enabled. The default location can be overridden with this build option | |
--with-tuning | small | small | large | large | related KB article |
acache-cleaning-interval | "3600"s | "3600"s | obsolete | obsolete | Additional data is now recorded in the main cache. |
acache-enable | "no" | "no" | obsolete | obsolete | See above |
additional-from-auth | "yes" | "yes" | obsolete | obsolete | See above |
additional-from-cache | "yes" | "yes" | obsolete | obsolete | See above |
cleaning-interval | obsolete | obsolete | obsolete | obsolete | Cache cleaning has been automatic for some time. This option was removed completely in 9.16. |
cookie-algorithm | "aes" or "sha256" | "siphash24" | "siphash24" | "siphash24" | SipHash 2-4 was introduced as a valid algorithm and SHA256 was dropped, per RFC 9018. |
dnskey-sig-validity | absent | "0" | "0" | "0" | DNSSEC underwent a rewrite and several new options were introduced as a result. |
dnskey-ttl | absent | absent | "3600"s | "3600"s | See above |
dnssec-enable | "yes" | "yes" | obsolete | obsolete | BIND will now always return DNSSEC records. |
dnssec-policy | absent | absent | "none" | "none" | KASP - BIND's new dnssec key and signing policy |
dnssec-validation | "yes" | "yes" | "auto" | "auto" | See here for more details |
EDNS | Fallback to no EDNS after timeouts | Fallback to no EDNS after timeouts | no fallback | no fallback | This changed in 9.13.3 because of DNS flag day 2019 |
filter-aaaa | "any" | "any" | obsolete | obsolete | Replaced with a plug-in module. See this link for more information. |
filter-aaaa-on-v4 | "no" | "no" | obsolete | obsolete | See above |
filter-aaaa-on-v6 | "no" | "no" | obsolete | obsolete | See above |
geoip-use-ecs | "yes" | "yes" | obsolete | obsolete | TBA |
glue-cache | absent | absent | "yes" | "yes" | Enabled by default on authoritative systems. This change is responsible for a significant performance improvement in delegation-heavy authoritative systems. |
journal file format | old | old | new | new | Format changed in 9.16.14. 9.16 will read 9.11 journal files but 9.11 will not read 9.16 journal files. |
max-acache-size | "16M" | "16M" | obsolete | obsolete | Additional data is now recorded in the main cache. |
max-ixfr-ratio | absent | absent | "unlimited" | "unlimited" | Allows tuning of IXFR as a % of zone size. |
max-journal-size | "unlimited" (2G) | "unlimited" (2G) | 2 * sizeof(zone) | 2 * sizeof(zone) | Changed from a fixed size to calclulated based on zone size. |
max-stale-ttl | absent | "12"h | "1" d | "12"h | See here for more information about BIND's stale cache implementation. |
min-cache-ttl | absent | absent | "0" | "0" | Allows very low TTLs to be increased, for performance |
min-ncache-ttl | absent | absent | "0" | "0" | Allows very low TTLs to be increased, for performance |
minimal-responses | "no" | "no" | "no-auth-recursive" | "no-auth-recursive" | Applies minimal-responses to recursive queries only |
network stack | legacy | legacy | libuv/netmgr | libuv/netmgr | libuv is now required for BIND to compile. See here for more information |
parent-ds-ttl | absent | absent | "P1D" (1 day) | "P1D" (1 day) | Allows tuning of the parent DS record TTLs. See also KASP for more details |
parent-propagation-delay | absent | absent | "PT1H" (1 hour) | "PT1H" (1 hour) | See KASP for more details |
parental-source | absent | absent | no default | no default | See KASP for more details |
parental-source-v6 | absent | absent | no default | no default | See KASP for more details |
publish-safety | absent | absent | "PT1H" (1 hour) | "PT1H" (1 hour) | See KASP for more details |
purge-keys | absent | absent | "P90D" (90 days) | "P90D" (90 days) | See KASP for more details |
qname-minimization | absent | absent | "relaxed" | "relaxed" | See here and here for more information |
random-device | /dev/random (or equivalent) | /dev/random (or equivalent) | supplied by crypto' lib' | supplied by crypto' lib' | For calculations requiring random number, BIND will now use the random number generator function provided by the cryptographic library of the host OS and a Hardware Security Module (HSM), if present. |
resolver-nonbackoff-tries | absent | "3" | "3" | "3" | The number of retries is now a tunable parameter. |
resolver-retry-interval | absent | "800"ms | "800"ms | "800"ms | Retry time is now a tunable parameter. |
retire-safety | absent | absent | "PT1H" (1 hour) | "PT1H" (1 hour) | See KASP for more details |
signatures-refresh | absent | absent | "P5D" (5 days) | "P5D" (5 days) | See KASP for more details |
signatures-validity | absent | absent | "P2W" (2 weeks) | "P2W" (2 weeks) | See KASP for more details |
signatures-validity-dnskey | absent | absent | "P2W" (2 weeks) | "P2W" (2 weeks) | See KASP for more details |
stale-answer-client-timeout | absent | absent | "off" | "off" | See here for more information about BIND's stale cache implementation. |
stale-answer-enable | absent | "no" | "no" | "no" | See here for more information about BIND's stale cache implementation. |
stale-answer-ttl | absent | "1"s | "30"s | "30"s | See here for more information about BIND's stale cache implementation. |
stale-cache-enable | absent | "yes" | "yes" | "yes" | See here for more information about BIND's stale cache implementation. |
stale-refresh-time | absent | absent | "30" | "30" | Allows BIND to return stale answers if all NS are unreachable, checking every stale-refresh-time to see if any NS have started responding again |
synth-from-dnssec | absent | absent | "no" | "no" | Requires DNSSEC validation to be enabled and working. The default will change to "yes" in a future release. |
tcp-advertised-timeout | absent | "300" (30s) | "300" (30s) | "300" (30s) | |
tcp-idle-timeout | absent | "300" (30s) | "300" (30s) | "300" (30s) | |
tcp-initial-timeout | absent | "300" (30s) | "300" (30s) | "300" (30s) | |
tcp-keepalive-timeout | absent | "300" (30s) | "300" (30s) | "300" (30s) | |
zone-propagation-delay | absent | absent | "PT5M" (5 minutes) | "PT5M" (5 minutes) | See KASP for more details |
Further reading
ISO 8601 representation of durations