-
Print
-
DarkLight
-
PDF
BIND 9 Significant Features Matrix
This table lists the major feature differences among the current supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans, where features overlap with already-released branches). We also describe the deprecated and obsolete features and utilities in the smaller tables below.
Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.
These tables do not include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.
The "-S" (stable preview) editions are available to ISC customers with certain paid support contracts, and offer some features that are not included in the open source.
Refactoring
BIND's interface to the network was refactored during the 9.15 and 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv
library. While this did not result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.
Notes:
- "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
- Version numbers indicate that this feature was (or will be) introduced in the specified version, rather than in the first public release of the branch.
Major Features Added or Changed
Feature | 9.18 current stable |
9.18-S current stable |
9.16 old stable |
9.16-S old stable |
9.11 EOL | 9.11-S EOL |
---|---|---|---|---|---|---|
DDOS mitigation: DNS COOKIE (previously called SIT) | all | all | updated in 9.16.10 | updated in 9.16.10-S | updated in 9.11.26 aes or sha256 | algorithm changed to siphash24, multiple cookie secrets added |
DDOS mitigation: Multiple response rate limiters for different domains | --- | all | --- | all | --- | all |
DDOS mitigation: Size & ratio controls for response rate limiters | --- | all | --- | all | --- | all |
DNSSEC: Key and Signing Policy | updated | updated | new | new | --- | --- |
DNSSEC validation | auto | auto | default changed from yes to auto | auto | --- | --- |
DNSSEC: validate-except Permanent Negative trust anchors |
all | all | all | all | --- | added (backported from 9.13.10) |
DNS over HTTPS (DoH) (RFC 8484) | all | all | --- | --- | --- | --- |
DNS over TLS (DoT) (RFC 7858) | all | all | --- | --- | --- | --- |
Documentation: BIND ARM was converted from DocBook to reStructuredText, published on ReadTheDocs | all | all | all | --- | --- | --- |
EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) | all | all | 9.16.8 | 9.16.8 | 9.11.24 | 9.11.24 |
EDNS Client-Subnet (ECS) for resolver | --- | all | --- | all, updated 9.16.10-S | --- | all, updated 9.11.26-S |
EDNS Client-Subnet (ECS) option support for authoritative servers | --- | --- | removed | removed | experimental | experimental |
EDNS Padding (RFC 7830) | all | all | all | all | --- | all |
Extended Errors (RFC 8914) | #18 | #18 | --- | --- | --- | --- |
GeoIP support | 2.0 api | 2.0 api | all | 2.0 api | all | all |
IXFR size limits | all | all | new max-ixfr-ratio option |
all | --- | --- |
Management: automatic DNSTAP file rolling | all | all | all | all | --- | added |
Management: timestamp suffix option for rolled log files and DNSTAP files | all | all | all | all | --- | added |
Maximum timeout increased | all | all | all | all | all, longer max timeout | all, longer max timeout |
Mirror Zones (RFC 8806) | all | all | added (9.13.2) | all | --- | --- |
BIND Modules: plug-in support for query processing | now asynchronous | now asynchronous | added (9.13.2) | all | --- | --- |
Performance: EDNS TCP keepalive support (RFC 7828) | all | all | all | all | --- | all |
Performance: glue cache | The option has been deprecated. The feature will be enabled by default in the future | The option has been deprecated. The feature will be enabled by default in the future | added | added | --- | --- |
Performance: minimal responses (RFC 8482) | all | all | added | added | --- | --- |
Performance: answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/) | modified, re-enabled by default | modified, re-enabled by default | present, disabled by default | present, disabled by default | --- | --- |
Performance: pipelined TCP queries (server side) (RFC 7766) | all | all | --- | all | all | all |
QNAME minimization (RFC 9156) | all | all | all | all | --- | all |
RPZ-passthru new logging channel | all | all | --- | --- | --- | --- |
RPZ: refactored RPZ | all | all | all | all | --- | all, rate limits added |
RPZ: nsdname-wait-recurse |
all | all | all | all | --- | all |
RPZ: Response Policy Service API | all | all | new | new | --- | --- |
New RRs | HTTPS, SCVB | HTTPS, SCVB | --- | --- | --- | --- |
Serve Stale | see KB | see KB | all, updated 9.16.9, 9.16.13 | all, updated 9.16.9-S, 9.16.13-S | --- | 9.11.4-S, updated 9.11.25-S, 9.11-30-S1 |
Umbrella PROTOSS EDNS option | --- | all | --- | all | --- | new |
Zone transfer over TLS, aka XoT (RFC 9103) | new | new | --- | --- | --- | --- |
Features Removed (or Planned for Removal)
In the following table, "deprecated" means that the option is still usable, but its use is discouraged because it will be obsoleted in a future version. Typically, use of deprecated features generates a warning.
"Obsolete"/Removed" options are no longer in use: they are either ignored or named.conf will not load with them. We have a policy for removing options by a phased process: the phases are (1) community comment, (2) deprecation, (3) obsolescence. However, some of these changes occurred before that policy was established; those are the options that are marked as "removed."
Feature | 9.24 | 9.22 | 9.20 | 9.18 current stable | 9.16 old stable | 9.15 EOL | 9.14 EOL | 9.12 EOL |
---|---|---|---|---|---|---|---|---|
acache cleaning-interval, acache enable, additional from auth, additional from cache | --- | --- | --- | --- | additional data now recorded in main cache | |||
cleaning-interval | --- | --- | --- | --- | removed | obsolete | obsolete | obsolete |
Crypto: Native PKCS#11 | --- | --- | --- | removed in 9.18, replaced with OpenSC PKCS#11 | deprecated | |||
dig+sigchase | --- | --- | --- | --- | --- | --- | --- | removed |
DLV (DNSSEC Look-Aside Validator) | --- | --- | --- | --- | removed | deprecated | ||
DLV trust anchor | --- | --- | --- | --- | --- | --- | --- | removed |
DLZ drivers (DLZ modules unaffected) | --- | --- | --- | deprecated in 9.17.19, to be removed in 9.18 | ||||
DNSSEC algorithms 1, 3, 6, and 12 (RSAMD5, DSA, DSA-NSEC-SHA1, and ECC-GOST) | --- | --- | --- | --- | --- | --- | removed | |
DNSSEC-enable | --- | --- | --- | obsolete | obsolete | 9.15.1; DNSSEC enabled by default | ||
DNSSEC-must-be-secure | --- | fatal error | deprecation warning | insecure answers will be accepted with NTA | insecure answers will be accepted with NTA | insecure answers will be accepted with NTA | insecure answers will be accepted with NTA | insecure answers will be accepted with NTA |
DNSSEC managed-keys | 9.15.1; replaced with trust-anchors plus initial-key | |||||||
DNSSEC trusted-keys | 9.15.1; replaced with trust-anchors plus static-key | |||||||
DSCP | --- | --- | obsolete | deprecated/non-operational | deprecated/non-operational | |||
EDNS Client-Subnet (ECS) authoritative | --- | --- | --- | --- | --- | --- | removed | |
lwresd | --- | --- | --- | --- | --- | --- | --- | removed |
"map" zone file format | --- | --- | --- | removed | deprecated | |||
Source ports: explicit definition of source ports for outgoing connections | --- | obsolete | deprecated | discouraged as it implicitly disables source port randomization | ||||
TKEY mode 2, switch to TKEY Mode 3 (GSS-API) | --- | --- | removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH | deprecated, tkey-dhkey will warn | ||||
Windows 32-bit support | --- | --- | --- | removed | deprecated | |||
Zone type delegation-only , and the delegation-only and root-delegation-only statements |
--- | --- | removed | deprecated (9.18.4) |
Utilities
Utility | 9.18 | 9.16 | 9.16-S | 9.11 | 9.11-S |
---|---|---|---|---|---|
dig | +unexpected removed, +qid= and +dns64prefix added; dig is now able to send DOH and DOT queries; dig output now includes the transport protocol used | all | all | all | all |
dnssec-cds | all | all | all | --- | --- |