Changes to be aware of when moving from BIND 9.16 to 9.18
  • 30 Jan 2023
  • 7 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Changes to be aware of when moving from BIND 9.16 to 9.18

  • Dark
    Light
  • PDF

Article summary

Maintaining our process of continuous improvement, there have been some major changes in BIND between the two currently supported ESV versions - 9.16 and 9.18. This article summarises what those changes are so that you can go into this upgrade knowing which features are likely to affect your installation and what parameters you might need to adjust.

Working document

This article is still under construction. We will add more detail about impacts of the changes listed as we learn about them.

Major changes in 9.18 include:

  • DoT and DoH (DNS over TLS and DNS over HTTPS) are now included as standard.
  • The glue-cache option, has been deprecated. It no longer has any effect and will be removed completely in future releases.
  • Zone transfer over TLS (XoT) has been introduced.
  • Options that have been deprecated will generate a warning log message to that effect, but named will still run.
  • The old ISC socket handler is now obsolete and all network functions are handled by the newer netmgr code.
  • The map zone file format is now obsolete and is no longer available in 9.18.
  • A new run time option named -C prints the built-in default values for the version being run.
  • Support has been added for OpenSSL version 3.0.0
  • Partial support has been added for DNS extended errors, as defined in RFC 8914. The two errors supported so far are: Stale Answer and Stale NXDOMAIN Answer, when stale answers are returned from cache.
Memory usage

In general, memory consumption in 9.18 is down, compared with 9.16

The BIND team maintains a Changes log which should include all major changes. To help those who are updating directly from 9.16 to 9.18, we analyzed the options definitions for 9.18.10.

The comparison is presented as a table, with a sorted list of features in the first column and the default values for that feature in subsequent columns, for 9.16(-S) and 9.18(-S) versions. The notes column adds some background information, or in some cases links to other articles.

In most cases, features are configurable parameters in named.conf with the literal defaults in "quotes" followed by a unit, where necessary. For example, "3600"s means 3,600 seconds, or one hour. ISO8601 duration formats are also accepted for some options, so 1 day could be represented by P1D

Features in bold are general changes.

Features in italics are build time options.

feature 9.16 9.16-S 9.18 9.18-S notes
--disable-doh absent (DoH not supported) absent (DoH not supported) available available related KB article
--disable-silent-rules absent absent available available verbose build output (undo: "make V=0")
--enable-backtrace available available unavailable unavailable log stack backtrace on abort [9.16 default=yes]
--enable-shared available available unavailable unavailable This configure option no longer accepts the value =no. Static linking is not supported as it disables dlopen() and certain security features (e.g. RELRO, ASLR)
--enable-native-pkcs11 available available unavailable unavailable BIND no longer supports native PKCS11 for public-key cryptography. It now uses engine_pkcs11, which is part of OpenSSL.
--enable-silent-rules absent absent available available less verbose build output (undo: "make V=1")
--enable-singletrace absent absent available available enable single-query trace logging [default=no]
--enable-symtable available available unavailable unavailable use internal symbol table for backtrace
--enable-warn-shadow available available unavailable unavailable turn on -Wshadow when compiling
--with-geoip2 deprecated deprecated unavailable unavailable The functionality was removed in 9.16. The option itself has now been removed for 9.18
--with-libjson deprecated deprecated unavailable unavailable The functionality was removed in 9.16. The option itself has now been removed for 9.18
--with-libnghttp2 unavailable unavailable available available Build with libnghttp2 library (default is auto, alternatives are yes and no)
--with-libtool available available unavailable unavailable This configure option is no longer available and BIND 9.18 is always built with libtool.
--with-make-clean available available unavailable unavailable This was added in Change 2868 to give users the option of disabling make clean at the end of a configure. With 9.18, make clean is always run, so this option has been removed.
acache-cleaning-interval obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
acache-enable obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
additional-from-auth obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
additional-from-cache obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
allow-v6-synthesis obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
cache-file available available unavailable unavailable This option was added in 9.16 primarily for testing and has now been removed.
cleaning-interval obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
coresize default default deprecated deprecated This is a general move towards using operating system values, rather than BIND specific ones.
datasize default default deprecated deprecated This is a general move towards using operating system values, rather than BIND specific ones.
dnssec-dnskey-kskonly no no yes yes
dnssec-enable obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
dnssec-lookaside obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
files unlimited unlimited deprecated deprecated This is a general move towards using operating system values, rather than BIND specific ones.
filter-aaaa obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
filter-aaaa-on-v4 obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
filter-aaaa-on-v6 obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
geoip-use-ecs obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
glue-cache yes yes deprecated deprecated The glue cache is now permanently enabled and this option has no effect.
http-listener-clients absent absent 300 300
http-port absent absent 80 80
http-streams-per-connection absent absent 100 100 Setting the value to zero removes the limit.
https-port absent absent 443 443
lwres obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
max-acache-size obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
nosit-udp-size obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
parent-registration-delay available available unavailable unavailable This was part of the dnssec-policy block in 9.16 and has been obsoleted for 9.18
queryport-pool-ports obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
queryport-pool-updateinterval obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
random-device supplied by crypto' lib' supplied by crypto' lib' deprecated deprecated There is now no choice of the source of randomness. For calculations requiring random numbers, BIND will now use the random number generator function provided by the cryptographic library of the host OS and a Hardware Security Module (HSM), if present.
request-sit obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
reserved-sockets 512 512 deprecated deprecated This option no longer applies since moving completely to netmgr.
rpz-passthru absent absent available available This is a new logging category introduced for 9.18
sit-secret obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
stacksize default default deprecated deprecated This is a general move towards using operating system values, rather than BIND specific ones.
stale-cache-enable yes yes no no See here for more information about BIND's stale cache implementation.
support-ixfr obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.
synth-from-dnssec no no yes yes Requires DNSSEC validation to be enabled and working. The default will change to "yes" in a future release.
tcp-receive-buffer absent absent available available This option has no default. if used a value must be specified.
tcp-send-buffer absent absent available available This option has no default. if used a value must be specified.
tls-port absent absent 853 853 DNS over TLS (DoT) listen port value.
udp-receive-buffer absent absent 0 0 The default value of zero indicates that the operating system's value should be used.
udp-send-buffer absent absent 0 0 The default value of zero indicates that the operating system's value should be used.
use-ixfr obsolete obsolete removed removed Use of this option will now be a configuration failure and named will not run.

Further reading

ISO 8601 representation of durations