BIND 9 Significant Features Matrix

Updated on 06 Sep 2023
6 Minutes to read
Contributors

Print
Share
Dark

Light
PDF

Article Summary

Share feedback

Thanks for sharing your feedback!

This table lists the major feature differences among the current supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans, where features overlap with already-released branches). We also describe the deprecated and obsolete features and utilities in the smaller tables below.

Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.

These tables do not include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.

BIND -S software

The "-S" (stable preview) editions are available to ISC customers with certain paid support contracts, and offer some features that are not included in the open source.

Refactoring

BIND's interface to the network was refactored during the 9.15 and 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this did not result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.

Notes:

"all" indicates that this feature was (or will be) introduced in the first public release of this branch.
Version numbers indicate that this feature was (or will be) introduced in the specified version, rather than in the first public release of the branch.

Major Features Added or Changed

Feature	9.18 current stable	9.18-S current stable	9.16 old stable	9.16-S old stable	9.11 EOL	9.11-S EOL
DDOS mitigation: DNS COOKIE (previously called SIT)	all	all	updated in 9.16.10	updated in 9.16.10-S	updated in 9.11.26 aes or sha256	algorithm changed to siphash24, multiple cookie secrets added
DDOS mitigation: Multiple response rate limiters for different domains	---	all	---	all	---	all
DDOS mitigation: Size & ratio controls for response rate limiters	---	all	---	all	---	all
DNSSEC: Key and Signing Policy	updated	updated	new	new	---	---
DNSSEC validation	auto	auto	default changed from yes to auto	auto	---	---
DNSSEC: `validate-except` Permanent Negative trust anchors	all	all	all	all	---	added (backported from 9.13.10)
DNS over HTTPS (DoH) (RFC 8484)	all	all	---	---	---	---
DNS over TLS (DoT) (RFC 7858)	all	all	---	---	---	---
Documentation: BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs	all	all	all	---	---	---
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020)	all	all	9.16.8	9.16.8	9.11.24	9.11.24
EDNS Client-Subnet (ECS) for resolver	---	all	---	all, updated 9.16.10-S	---	all, updated 9.11.26-S
EDNS Client-Subnet (ECS) option support for authoritative servers	---	---	removed	removed	experimental	experimental
EDNS Padding (RFC 7830)	all	all	all	all	---	all
Extended Errors (RFC 8914)	#18	#18	---	---	---	---
GeoIP support	2.0 api	2.0 api	all	2.0 api	all	all
IXFR size limits	all	all	new `max-ixfr-ratio` option	all	---	---
Management: automatic DNSTAP file rolling	all	all	all	all	---	added
Management: timestamp suffix option for rolled log files and DNSTAP files	all	all	all	all	---	added
Maximum timeout increased	all	all	all	all	all, longer max timeout	all, longer max timeout
Mirror Zones (RFC 8806)	all	all	added (9.13.2)	all	---	---
BIND Modules: plug-in support for query processing	now asynchronous	now asynchronous	added (9.13.2)	all	---	---
Performance: EDNS TCP keepalive support (RFC 7828)	all	all	all	all	---	all
Performance: glue cache	The option has been deprecated. The feature will be enabled by default in the future	The option has been deprecated. The feature will be enabled by default in the future	added	added	---	---
Performance: minimal responses (RFC 8482)	all	all	added	added	---	---
Performance: answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/)	modified, re-enabled by default	modified, re-enabled by default	present, disabled by default	present, disabled by default	---	---
Performance: pipelined TCP queries (server side) (RFC 7766)	all	all	---	all	all	all
QNAME minimization (RFC 9156)	all	all	all	all	---	all
RPZ-passthru new logging channel	all	all	---	---	---	---
RPZ: refactored RPZ	all	all	all	all	---	all, rate limits added
RPZ: `nsdname-wait-recurse`	all	all	all	all	---	all
RPZ: Response Policy Service API	all	all	new	new	---	---
New RRs	HTTPS, SCVB	HTTPS, SCVB	---	---	---	---
Serve Stale	see KB	see KB	all, updated 9.16.9, 9.16.13	all, updated 9.16.9-S, 9.16.13-S	---	9.11.4-S, updated 9.11.25-S, 9.11-30-S1
Umbrella PROTOSS EDNS option	---	all	---	all	---	new
Zone transfer over TLS, aka XoT (RFC 9103)	new	new	---	---	---	---

Features Removed (or Planned for Removal)

In the following table, "deprecated" means that the option is still usable, but its use is discouraged because it will be obsoleted in a future version. Typically, use of deprecated features generates a warning.

"Obsolete"/Removed" options are no longer in use: they are either ignored or named.conf will not load with them. We have a policy for removing options by a phased process: the phases are (1) community comment, (2) deprecation, (3) obsolescence. However, some of these changes occurred before that policy was established; those are the options that are marked as "removed."

Feature	9.24	9.22	9.20	9.18 current stable	9.16 old stable	9.15 EOL	9.14 EOL	9.12 EOL
acache cleaning-interval, acache enable, additional from auth, additional from cache	---	---	---	---	additional data now recorded in main cache
cleaning-interval	---	---	---	---	removed	obsolete	obsolete	obsolete
Crypto: Native PKCS#11	---	---	---	removed in 9.18, replaced with OpenSC PKCS#11	deprecated
dig+sigchase	---	---	---	---	---	---	---	removed
DLV (DNSSEC Look-Aside Validator)	---	---	---	---	removed	deprecated
DLV trust anchor	---	---	---	---	---	---	---	removed
DLZ drivers (DLZ modules unaffected)	---	---	---	deprecated in 9.17.19, to be removed in 9.18
DNSSEC algorithms 1, 3, 6, and 12 (RSAMD5, DSA, DSA-NSEC-SHA1, and ECC-GOST)	---	---	---	---	---	---	removed
DNSSEC-enable	---	---	---	obsolete	obsolete	9.15.1; DNSSEC enabled by default
DNSSEC-must-be-secure	---	fatal error	deprecation warning	insecure answers will be accepted with NTA	insecure answers will be accepted with NTA	insecure answers will be accepted with NTA	insecure answers will be accepted with NTA	insecure answers will be accepted with NTA
DNSSEC managed-keys						9.15.1; replaced with trust-anchors plus initial-key
DNSSEC trusted-keys						9.15.1; replaced with trust-anchors plus static-key
DSCP	---	---	obsolete	deprecated/non-operational	deprecated/non-operational
EDNS Client-Subnet (ECS) authoritative	---	---	---	---	---	---	removed
lwresd	---	---	---	---	---	---	---	removed
"map" zone file format	---	---	---	removed	deprecated
Source ports: explicit definition of source ports for outgoing connections	---	obsolete	deprecated		discouraged as it implicitly disables source port randomization
TKEY mode 2, switch to TKEY Mode 3 (GSS-API)	---	---	removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH	deprecated, tkey-dhkey will warn
Windows 32-bit support	---	---	---	removed	deprecated
Zone type `delegation-only`, and the `delegation-only` and `root-delegation-only` statements	---	---	removed	deprecated (9.18.4)

Utilities

Utility	9.18	9.16	9.16-S	9.11	9.11-S
dig	+unexpected removed, +qid= and +dns64prefix added; dig is now able to send DOH and DOT queries; dig output now includes the transport protocol used	all	all	all	all
dnssec-cds	all	all	all	---	---

What's Next

Policy for removing named.conf options

Table of contents