Changes to be aware of when moving from BIND 9.16 to 9.18
- 30 Jan 2023
- 7 Minutes to read
-
Contributors
-
Print
-
DarkLight
-
PDF
Changes to be aware of when moving from BIND 9.16 to 9.18
- Updated on 30 Jan 2023
- 7 Minutes to read
-
Contributors
-
Print
-
DarkLight
-
PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Maintaining our process of continuous improvement, there have been some major changes in BIND between the two currently supported ESV versions - 9.16 and 9.18. This article summarises what those changes are so that you can go into this upgrade knowing which features are likely to affect your installation and what parameters you might need to adjust.
Working document
This article is still under construction. We will add more detail about impacts of the changes listed as we learn about them.
Major changes in 9.18 include:
- DoT and DoH (DNS over TLS and DNS over HTTPS) are now included as standard.
- The
glue-cacheoption, has been deprecated. It no longer has any effect and will be removed completely in future releases. - Zone transfer over TLS (XoT) has been introduced.
- Options that have been deprecated will generate a warning log message to that effect, but
namedwill still run. - The old ISC socket handler is now obsolete and all network functions are handled by the newer netmgr code.
- The
mapzone file format is now obsolete and is no longer available in 9.18. - A new run time option
named -Cprints the built-in default values for the version being run. - Support has been added for OpenSSL version 3.0.0
- Partial support has been added for DNS extended errors, as defined in RFC 8914. The two errors supported so far are: Stale Answer and Stale NXDOMAIN Answer, when stale answers are returned from cache.
Memory usage
In general, memory consumption in 9.18 is down, compared with 9.16
The BIND team maintains a Changes log which should include all major changes. To help those who are updating directly from 9.16 to 9.18, we analyzed the options definitions for 9.18.10.
The comparison is presented as a table, with a sorted list of features in the first column and the default values for that feature in subsequent columns, for 9.16(-S) and 9.18(-S) versions. The notes column adds some background information, or in some cases links to other articles.
In most cases, features are configurable parameters in named.conf with the literal defaults in "quotes" followed by a unit, where necessary. For example, "3600"s means 3,600 seconds, or one hour. ISO8601 duration formats are also accepted for some options, so 1 day could be represented by P1D
Features in bold are general changes.
Features in italics are build time options.
| feature | 9.16 | 9.16-S | 9.18 | 9.18-S | notes |
|---|---|---|---|---|---|
| --disable-doh | absent (DoH not supported) | absent (DoH not supported) | available | available | related KB article |
| --disable-silent-rules | absent | absent | available | available | verbose build output (undo: "make V=0") |
| --enable-backtrace | available | available | unavailable | unavailable | log stack backtrace on abort [9.16 default=yes] |
| --enable-shared | available | available | unavailable | unavailable | This configure option no longer accepts the value =no. Static linking is not supported as it disables dlopen() and certain security features (e.g. RELRO, ASLR) |
| --enable-native-pkcs11 | available | available | unavailable | unavailable | BIND no longer supports native PKCS11 for public-key cryptography. It now uses engine_pkcs11, which is part of OpenSSL. |
| --enable-silent-rules | absent | absent | available | available | less verbose build output (undo: "make V=1") |
| --enable-singletrace | absent | absent | available | available | enable single-query trace logging [default=no] |
| --enable-symtable | available | available | unavailable | unavailable | use internal symbol table for backtrace |
| --enable-warn-shadow | available | available | unavailable | unavailable | turn on -Wshadow when compiling |
| --with-geoip2 | deprecated | deprecated | unavailable | unavailable | The functionality was removed in 9.16. The option itself has now been removed for 9.18 |
| --with-libjson | deprecated | deprecated | unavailable | unavailable | The functionality was removed in 9.16. The option itself has now been removed for 9.18 |
| --with-libnghttp2 | unavailable | unavailable | available | available | Build with libnghttp2 library (default is auto, alternatives are yes and no) |
| --with-libtool | available | available | unavailable | unavailable | This configure option is no longer available and BIND 9.18 is always built with libtool. |
| --with-make-clean | available | available | unavailable | unavailable | This was added in Change 2868 to give users the option of disabling make clean at the end of a configure. With 9.18, make clean is always run, so this option has been removed. |
| acache-cleaning-interval | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| acache-enable | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| additional-from-auth | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| additional-from-cache | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| allow-v6-synthesis | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| cache-file | available | available | unavailable | unavailable | This option was added in 9.16 primarily for testing and has now been removed. |
| cleaning-interval | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| coresize | default | default | deprecated | deprecated | This is a general move towards using operating system values, rather than BIND specific ones. |
| datasize | default | default | deprecated | deprecated | This is a general move towards using operating system values, rather than BIND specific ones. |
| dnssec-dnskey-kskonly | no | no | yes | yes | |
| dnssec-enable | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| dnssec-lookaside | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| files | unlimited | unlimited | deprecated | deprecated | This is a general move towards using operating system values, rather than BIND specific ones. |
| filter-aaaa | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| filter-aaaa-on-v4 | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| filter-aaaa-on-v6 | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| geoip-use-ecs | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| glue-cache | yes | yes | deprecated | deprecated | The glue cache is now permanently enabled and this option has no effect. |
| http-listener-clients | absent | absent | 300 | 300 | |
| http-port | absent | absent | 80 | 80 | |
| http-streams-per-connection | absent | absent | 100 | 100 | Setting the value to zero removes the limit. |
| https-port | absent | absent | 443 | 443 | |
| lwres | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| max-acache-size | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| nosit-udp-size | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| parent-registration-delay | available | available | unavailable | unavailable | This was part of the dnssec-policy block in 9.16 and has been obsoleted for 9.18 |
| queryport-pool-ports | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| queryport-pool-updateinterval | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| random-device | supplied by crypto' lib' | supplied by crypto' lib' | deprecated | deprecated | There is now no choice of the source of randomness. For calculations requiring random numbers, BIND will now use the random number generator function provided by the cryptographic library of the host OS and a Hardware Security Module (HSM), if present. |
| request-sit | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| reserved-sockets | 512 | 512 | deprecated | deprecated | This option no longer applies since moving completely to netmgr. |
| rpz-passthru | absent | absent | available | available | This is a new logging category introduced for 9.18 |
| sit-secret | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| stacksize | default | default | deprecated | deprecated | This is a general move towards using operating system values, rather than BIND specific ones. |
| stale-cache-enable | yes | yes | no | no | See here for more information about BIND's stale cache implementation. |
| support-ixfr | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
| synth-from-dnssec | no | no | yes | yes | Requires DNSSEC validation to be enabled and working. The default will change to "yes" in a future release. |
| tcp-receive-buffer | absent | absent | available | available | This option has no default. if used a value must be specified. |
| tcp-send-buffer | absent | absent | available | available | This option has no default. if used a value must be specified. |
| tls-port | absent | absent | 853 | 853 | DNS over TLS (DoT) listen port value. |
| udp-receive-buffer | absent | absent | 0 | 0 | The default value of zero indicates that the operating system's value should be used. |
| udp-send-buffer | absent | absent | 0 | 0 | The default value of zero indicates that the operating system's value should be used. |
| use-ixfr | obsolete | obsolete | removed | removed | Use of this option will now be a configuration failure and named will not run. |
Further reading
ISO 8601 representation of durations