Changes to be aware of when moving from BIND 9.11 to 9.16
  • 07 Sep 2023
  • 6 Minutes to read
  • Contributors
  • PDF

Changes to be aware of when moving from BIND 9.11 to 9.16

  • PDF

Article summary

There were a lot of fundamental changes in BIND between the two currently previously supported ESV versions - 9.11 and 9.16. This article summarises what those changes are so that you can go into upgrades with eyes open, knowing which features are likely to affect your installation and what parameters you might need to adjust.

Working document

This article is still under construction. We will add more detail about impacts of the changes listed as we learn about them.

Major changes in 9.16 include:

  • Replacement of the ISC proprietary network code with the Linux libuv library. This was done in part to support the development of alternative new transports (DNS over TLS and DNS over HTTPS), but also to modernize network handling.
  • Development of the new Key and Signing Policy (KASP) tool which substantially modernized DNSSEC maintenance for authoritative operators.
  • Qname minimization, which is enabled by default.
  • Serve-stale, which was added then modified several times as we learned about adverse impacts in deployment.
Memory usage

Update as of BIND 9.16.43. Memory usage in BIND 9.16 at the end of its development was still higher than in 9.11.

Edit as of BIND 9.16.23. At the time of writing this, BIND 9.16 consumes significantly more memory than BIND 9.11. We expect to improve the memory efficiency of 9.16 in coming maintenance releases, but it is likely that even after optimization, 9.16 will require somewhat more memory than 9.11.

The BIND team maintains a Changes log which should include all major changes. To help those who are updating directly from 9.11 to 9.16, we analyzed the options definitions for 9.11.36 and 9.16.23.

The comparison is presented as a table, with a sorted list of features in the first column and the default values for that feature in subsequent columns, for 9.11(-S) and 9.16(-S) versions. The notes column adds some background information, or in some cases links to other articles.

In most cases, features are configurable parameters in named.conf with the literal defaults in "quotes" followed by a unit, where necessary. For example, "3600"s means 3,600 seconds, or one hour. ISO8601 duration formats are also accepted for some options, so 1 day could be represented by P1D

Features in bold are general changes.

Features in italics are build time options.

feature 9.11 9.11-S 9.16 9.16-S notes
--enable-ipv6 Building with IPv6 support had to be enabled specifically Building with IPv6 support had to be enabled specifically IPv6 support is now enabled by default and this build option does nothing IPv6 support is now enabled by default and this build option does nothing
--enable-threads Building with support for multi-threading had to be enabled specifically Building with support for multi-threading had to be enabled specifically Multi-threaded support is now enabled by default and this option does nothing Multi-threaded support is now enabled by default and this option does nothing
--with-openssl Not enabled by default Not enabled by default Always enabled. The default location can be overridden with this build option Always enabled. The default location can be overridden with this build option
--with-tuning small small large large related KB article
acache-cleaning-interval "3600"s "3600"s obsolete obsolete Additional data is now recorded in the main cache.
acache-enable "no" "no" obsolete obsolete See above
additional-from-auth "yes" "yes" obsolete obsolete See above
additional-from-cache "yes" "yes" obsolete obsolete See above
cleaning-interval obsolete obsolete obsolete obsolete Cache cleaning has been automatic for some time. This option was removed completely in 9.16.
cookie-algorithm "aes" or "sha256" "siphash24" "siphash24" "siphash24" SipHash 2-4 was introduced as a valid algorithm and SHA256 was dropped, per RFC 9018.
dnskey-sig-validity absent "0" "0" "0" DNSSEC underwent a rewrite and several new options were introduced as a result.
dnskey-ttl absent absent "3600"s "3600"s See above
dnssec-enable "yes" "yes" obsolete obsolete BIND will now always return DNSSEC records.
dnssec-policy absent absent "none" "none" KASP - BIND's new dnssec key and signing policy
dnssec-validation "yes" "yes" "auto" "auto" See here for more details
EDNS Fallback to no EDNS after timeouts Fallback to no EDNS after timeouts no fallback no fallback This changed in 9.13.3 because of DNS flag day 2019
filter-aaaa "any" "any" obsolete obsolete Replaced with a plug-in module. See this link for more information.
filter-aaaa-on-v4 "no" "no" obsolete obsolete See above
filter-aaaa-on-v6 "no" "no" obsolete obsolete See above
geoip-use-ecs "yes" "yes" obsolete obsolete TBA
glue-cache absent absent "yes" "yes" Enabled by default on authoritative systems. This change is responsible for a significant performance improvement in delegation-heavy authoritative systems.
journal file format old old new new Format changed in 9.16.14. 9.16 will read 9.11 journal files but 9.11 will not read 9.16 journal files.
max-acache-size "16M" "16M" obsolete obsolete Additional data is now recorded in the main cache.
max-ixfr-ratio absent absent "unlimited" "unlimited" Allows tuning of IXFR as a % of zone size.
max-journal-size "unlimited" (2G) "unlimited" (2G) 2 * sizeof(zone) 2 * sizeof(zone) Changed from a fixed size to calclulated based on zone size.
max-stale-ttl absent "12"h "1" d "12"h See here for more information about BIND's stale cache implementation.
min-cache-ttl absent absent "0" "0" Allows very low TTLs to be increased, for performance
min-ncache-ttl absent absent "0" "0" Allows very low TTLs to be increased, for performance
minimal-responses "no" "no" "no-auth-recursive" "no-auth-recursive" Applies minimal-responses to recursive queries only
network stack legacy legacy libuv/netmgr libuv/netmgr libuv is now required for BIND to compile. See here for more information
parent-ds-ttl absent absent "P1D" (1 day) "P1D" (1 day) Allows tuning of the parent DS record TTLs. See also KASP for more details
parent-propagation-delay absent absent "PT1H" (1 hour) "PT1H" (1 hour) See KASP for more details
parental-source absent absent no default no default See KASP for more details
parental-source-v6 absent absent no default no default See KASP for more details
publish-safety absent absent "PT1H" (1 hour) "PT1H" (1 hour) See KASP for more details
purge-keys absent absent "P90D" (90 days) "P90D" (90 days) See KASP for more details
qname-minimization absent absent "relaxed" "relaxed" See here and here for more information
random-device /dev/random (or equivalent) /dev/random (or equivalent) supplied by crypto' lib' supplied by crypto' lib' For calculations requiring random number, BIND will now use the random number generator function provided by the cryptographic library of the host OS and a Hardware Security Module (HSM), if present.
resolver-nonbackoff-tries absent "3" "3" "3" The number of retries is now a tunable parameter.
resolver-retry-interval absent "800"ms "800"ms "800"ms Retry time is now a tunable parameter.
retire-safety absent absent "PT1H" (1 hour) "PT1H" (1 hour) See KASP for more details
signatures-refresh absent absent "P5D" (5 days) "P5D" (5 days) See KASP for more details
signatures-validity absent absent "P2W" (2 weeks) "P2W" (2 weeks) See KASP for more details
signatures-validity-dnskey absent absent "P2W" (2 weeks) "P2W" (2 weeks) See KASP for more details
stale-answer-client-timeout absent absent "off" "off" See here for more information about BIND's stale cache implementation.
stale-answer-enable absent "no" "no" "no" See here for more information about BIND's stale cache implementation.
stale-answer-ttl absent "1"s "30"s "30"s See here for more information about BIND's stale cache implementation.
stale-cache-enable absent "yes" "yes" "yes" See here for more information about BIND's stale cache implementation.
stale-refresh-time absent absent "30" "30" Allows BIND to return stale answers if all NS are unreachable, checking every stale-refresh-time to see if any NS have started responding again
synth-from-dnssec absent absent "no" "no" Requires DNSSEC validation to be enabled and working. The default will change to "yes" in a future release.
tcp-advertised-timeout absent "300" (30s) "300" (30s) "300" (30s)
tcp-idle-timeout absent "300" (30s) "300" (30s) "300" (30s)
tcp-initial-timeout absent "300" (30s) "300" (30s) "300" (30s)
tcp-keepalive-timeout absent "300" (30s) "300" (30s) "300" (30s)
zone-propagation-delay absent absent "PT5M" (5 minutes) "PT5M" (5 minutes) See KASP for more details

Further reading

ISO 8601 representation of durations