This table lists the major feature differences among the current supported versions of BIND 9 (with some provisional but incomplete insight into our future release plans, where features overlap with already-released branches). We also describe the deprecated and obsolete features and utilities in the smaller tables below.
Please see also this ISC KB article on upgrading from BIND 9.11 to 9.16 and this ISC KB article on upgrading from BIND 9.16 to 9.18.
These tables do not include changes in the build environment or platform support. Those requirements are included in the platforms.md file at the top level of the BIND distribution.
The "-S" (stable preview) editions are available to ISC customers with certain paid support contracts, and offer some features that are not included in the open source.
Refactoring
BIND's interface to the network was refactored during the 9.15 and 9.17 development branches, resulting in substantial changes to 9.16 and 9.18. This refactoring consisted of replacing BIND's native network interface with the commonly-used libuv library. While this did not result in any feature changes, it impacted performance and some other behaviors. Similarly, the memory allocation scheme changed in 9.18, and these changes were partly backported to 9.16. See this article for details.
Notes:
- "all" indicates that this feature was (or will be) introduced in the first public release of this branch.
- Version numbers indicate that this feature was (or will be) introduced in the specified version, rather than in the first public release of the branch.
Major Features Added or Changed
| Feature | 9.20 new stable |
9.18 current stable |
9.18-S current stable |
9.16 EoL | 9.16-S EoL |
|---|---|---|---|---|---|
| BIND Modules: plug-in support for query processing | now asynchronous | now asynchronous | added (9.13.2) | all | |
cdnskey option in dnssec-policy, to permit or deny publication of CDNSKEY RRs. |
new | --- | --- | --- | --- |
cds-digest-types option in dnssec-policy, to allow configuration of digest types for CDS RRs. |
new | --- | --- | --- | --- |
check-svcb option, for additional SVCB RR checking. |
new | --- | --- | --- | --- |
| DNS COOKIE (previously called SIT) | all | all | updated in 9.16.10 | updated in 9.16.10-S | |
delve +ns more accurately mimics BIND behaviour. |
new | --- | --- | --- | --- |
| DNS over HTTPS (DoH) (RFC 8484) | all | all | --- | --- | |
| DNS over TLS (DoT) (RFC 7858) | all | all | --- | --- | |
| DNSSEC validation | auto | auto | default changed from yes to auto | auto | |
| DNSSEC: Key and Signing Policy | updated | updated | new | new | |
dnssec-keygen -f and dnssec-keygen -k can be used together. |
new | --- | --- | --- | --- |
dnssec-ksr utility for creation of Key Signing Request (KSR) and Signed Key Response (SKR) files. |
new | --- | --- | --- | --- |
DNSSEC multi-signer model 2 RFC8901 support in inline-signing |
new | --- | --- | --- | --- |
dnssec-signzone -G can be used to control publiction of specific CDS and CDNSKEY RRs |
new | --- | --- | --- | --- |
dnssec-verify -J and dnssec-signzone -J for reading journal files. |
new | --- | --- | --- | --- |
dnstap-read prints long timestamps with millisecond precision. It can also understand Dot and DoH entries. |
new | --- | --- | --- | --- |
| dnstap emits distinct entries for DoT and DoH queries. | new | --- | --- | --- | --- |
| EDNS buffer size changed from 4096 to 1232 bytes (DNS Flag Day 2020) | all | all | 9.16.8 | 9.16.8 | |
| EDNS Client-Subnet (ECS) for resolver | --- | all | --- | all, updated 9.16.10-S | |
| EDNS Client-Subnet (ECS) option support for authoritative servers | --- | --- | removed | removed | |
| EDNS EXPIRE option now includes AXFR and IXFR | new | --- | --- | --- | --- |
| Extended Errors (RFC 8914) | #4, #15, #16, #17 | #3, #18, #19 | #18 | --- | --- |
ede option for response-policy, to support Extended DNS Errors. |
new | ||||
| Forwarding using TLS to DoT-enabled servers, including forwarding of dynamic updates. | new | ||||
Information about ongoing zone transfers in the statistics-channel, including a "first refresh" flag. |
new | ||||
| IXFR size limits | all | all | new max-ixfr-ratio option |
all | |
key-store option in dnssec-policy for HSM support |
new | ||||
| answer synthesis from cached NSEC (https://datatracker.ietf.org/doc/rfc8198/) | modified, re-enabled by default | modified, re-enabled by default | present, disabled by default | present, disabled by default | |
recursive high-water statistics-channel counter, to show the maximum number of recursive clients handled so far during this run |
new | --- | --- | --- | --- |
require-cookie option, for fallback to TCP if a remote server does not provide DNS cookies over UDP. |
new | --- | --- | --- | --- |
resolver-use-dns64 option, to allow resolvers to use DNS64 addresses directly, e.g. through a NAT64 gateway. |
new | --- | --- | --- | --- |
| New RRs | HTTPS, SVCB | HTTPS, SVCB | --- | --- | |
rndc -t to specify command timeout. |
new | --- | --- | --- | --- |
rndc fetchlimit reports servers currently rate-limited |
new | --- | --- | --- | --- |
rndc status shows the number of zones in their first refresh cycle, either pending or active. |
new | --- | --- | --- | --- |
source and source-v6 options can be used to replace *-source and *-source-v6 options. |
new | --- | --- | --- | --- |
| Performance: minimal responses (RFC 8482) | all | all | added | added | |
| Performance: pipelined TCP queries (server side) (RFC 7766) | all | all | --- | all | |
| PROXYv2 support, in both BIND and DiG | new | --- | --- | --- | --- |
| RPZ-passthru new logging channel | all | all | --- | --- | |
| RPZ: Response Policy Service API | all | all | new | new | |
Support for libsystemd's sd_notify() function, allowing systemd to know the status of named. |
new | --- | --- | --- | --- |
| Serve Stale | see KB | see KB | all, updated 9.16.9, 9.16.13 | all, updated 9.16.9-S, 9.16.13-S | |
| TLSv1.3 cipher suites added. | new | --- | --- | --- | --- |
| Umbrella PROTOSS EDNS option | --- | --- | all | --- | all |
| User Statically Defined Tracing (USDT) probes. | new | --- | --- | --- | --- |
| Zone transfer over TLS, aka XoT (RFC 9103) | new | new | --- | --- |
Features Removed (or Planned for Removal)
In the following table, "deprecated" means that the option is still usable, but its use is discouraged because it will be obsoleted in a future version. Typically, use of deprecated features generates a warning. Removing features reduces complexity which is a major factor in stabilizing the software. Most of the features that are deprecated are little-used, and some are actually considered harmful in modern deployments, even if they once seemed like a good idea.
"Obsolete"/Removed" options are no longer in use: they are either ignored or named.conf will not load with them. We have a policy for removing options by a phased process: the phases are (1) community comment, (2) deprecation, (3) obsolescence. However, some of these changes occurred before that policy was established; those are the options that are marked as "removed."
| Feature | 9.24 | 9.22 | 9.20 new stable | 9.18 current stable | 9.16 EoL |
|---|---|---|---|---|---|
acache cleaning-interval, acache enable, additional from auth, additional from cache |
--- | --- | --- | --- | additional data now recorded in main cache |
alt-transfer-source, alt-transfer-source-v6 and use-alt-transfer-source |
--- | --- | obsolete | ||
auto-dnssec |
--- | --- | removed | ||
cleaning-interval |
--- | --- | --- | --- | removed |
| Compiling with jemalloc versions older than 4.0.0 | ------ | removed | |||
| Configuration of UNIX domain sockets for the control channel | --- | --- | obsolete | ||
Configure option --enable-fixed-rrset |
deprecated | ||||
Configure option --with-tuning |
--- | --- | obsolete | ||
coresize, datasize, files and stacksize options |
--- | --- | obsolete | ||
delegation-only and root-delegation-only |
--- | --- | obsolete | deprecated | |
| DLZ drivers (DLZ modules unaffected) | --- | --- | --- | deprecated in 9.17.19, to be removed in 9.18 | |
| DNS COOKIE algorithm AES | --- | --- | obsolete | ||
| DNSSEC algorithms 1, 3, 6, and 12 (RSAMD5, DSA, DSA-NSEC-SHA1, and ECC-GOST) | --- | --- | --- | --- | --- |
dnskey-sig-validity |
--- | --- | removed | ||
dnssec-dnskey-kskonly |
--- | --- | removed | ||
dnssec-enable |
--- | --- | --- | obsolete | obsolete |
dnssec-must-be-secure |
--- | fatal error, obsolete | deprecation warning | insecure answers will be accepted with NTA | insecure answers will be accepted with NTA |
dnssec-secure-to-insecure |
--- | --- | obsolete | ||
dnssec-update-mode |
--- | --- | removed | ||
| DSCP | --- | --- | obsolete | deprecated/non-operational | deprecated/non-operational |
glue-cache option |
--- | --- | obsolete (glue cache is now permanently enabled) | ||
keep-response-order |
--- | --- | obsolete | ||
| libbind9 shared library | --- | --- | obsolete | ||
| libirs library | --- | --- | obsolete | --- | --- |
lock-file |
--- | --- | obsolete | ||
| map zone file format | --- | --- | --- | removed | deprecated |
max-zone-ttl |
deprecated | ||||
named -U |
--- | --- | obsolete | ||
named -X |
--- | --- | obsolete | ||
nsupdate -o |
deprecated | ||||
oldgsstsig |
deprecated | ||||
| Native PKCS#11 | --- | --- | --- | removed in 9.18, replaced with OpenSC PKCS#11 | deprecated |
resolver-nonbackoff-tries and resolver-retry-interval |
--- | --- | obsolete | ||
rrset-order fixed |
deprecated | ||||
sig-validity-interval |
--- | --- | removed | ||
sortlist |
deprecated | ||||
Source ports: explicit definition of source ports for outgoing connections: specifying port in following statements query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, parental-source-v6; or in the following statements as whole: use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, avoid-v6-udp-ports |
--- | obsolete | deprecated | discouraged as it implicitly disables source port randomization | |
stale-answer-client-timeout values >0 |
--- | --- | obsolete | ||
| TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) | --- | --- | obsolete and will cause a fatal error | ||
| TKEY mode 2, switch to TKEY Mode 3 (GSS-API) | --- | --- | removed, also dnssec-keygen -a DH, dnssec-keyfromlabel -a DH | deprecated, tkey-dhkey will warn | |
| Triggering of key rollovers and denial-of-existence operations due to dynamic updates that add and remove DNSKEY and NSEC3PARAM records. | --- | --- | obsolete | ||
update-check-ksk |
--- | --- | removed | ||
| UNIX Domain sockets | --- | --- | fatal error in named and named-checkconf | fatal error in named | |
| Windows 32-bit support | --- | --- | --- | obsolete | deprecated |
Zone type delegation-only, and the delegation-only and root-delegation-only statements |
--- | --- | obsolete | deprecated (9.18.4) |
Utilities
| Utility | 9.18 | 9.16 | 9.16-S | 9.11 | 9.11-S |
|---|---|---|---|---|---|
| dig | +unexpected removed, +qid= and +dns64prefix added; dig is now able to send DOH and DOT queries; dig output now includes the transport protocol used | all | all | all | all |
| dnssec-cds | all | all | all | --- | --- |