mail us  |  mail this page

contact us
training  | 
tech stuff  | 

BIND 9 Support

BIND9 - Features by Version

This list was started in BIND9.7 and documents features made available at each version, it is not exhaustive and excludes certain (IOHO) non-features. Clearly there are multiple reasons for any BIND release such as bugs, performance tuning etc. these are not covered in this list:

Bind 9 Features by Release (9.7 to 9.10)

Release BIND9.10
Major Release Feature Notes
9.10 Source Identity Token Non-standard feature use --enable-sit in configure to build. SIT identified clients are not subject to rate-limit. Defined by draft-eastlake-dnsext-cookies-04.txt
pkcs11 support Configure option --enable-native-pkcs11 allows direct support of HSM devices which support full pkcs11 API without openssl.
named Now preserves domain name case (at last - its in RFC 1035). This can be suppressed with a no-case-compress ACL setting.
rndc scan Triggers interface scan manually - see automatic-interface-scan.
rndc -q suppresses all but error messages
rndc signing -nsec3param specifying auto will generate a random salt
rndc flushtree flushes all references
rndc zonestatus new command
rndc delzone -clean removes zone files!!
rndc validation check reports DNSSEC validation status
hmac-sha1, -sha224, -sha256, -sha384, and -sha512 new options in rndc-confgen and rndc
dig +subnet Non-standard feature (draft-vandergaast-edns-client-subnet-02.txt). Sends IP address/IP Prefix in EDNS CLIENT-SUBNET message.
dig +expire Non-standard feature (draft-andrews-dnsext-expire-00.txt). Sends EDNS EXPIRE.
dig +nocrypto Suppresses print on DNSSEC RRs
dig -u time in microseconds (was milliseconds)
dig +nssearch displays NS with no A or AAAA RRs or NS names is NXDOMAIN
BIND-DLZ BIND-DLZ extension now supports multiple database and master and redirect types.
delv New dig-like utility, primarily for DNSSEC validation.
dnssec-signzone -Q argument removes signatures which use inactive keys.
dnssec-coverage Python tool. New options -k and -z check coverage for KSK and ZSK and -l checks for duration.
named-rrchecker Utility. Syntax check for each RR type
in-view zone Allows zone definitions to be shared between views (explanation & example).
dnssec-checkds Utility. Checks for requireed DS RR to be published to parent. Not installed without Python (3.0).
dnssec-verify New utility. Verifies DNSSEC status.
dnssec-importkey Utility to import externally generated DNSSEC key
tsig-keygen Same as ddns-confgen -q
named-checkzone
named-compilezone
-J reads any journal file(s). Reads/write map format.
dnssec-keyfromlabel Supports -S and -i flags (like dnssec-keygen).
logs SOA serial numbers when starting/loading zone
response-policy
"response-policy" added "min-ns-dots" (default 1)
"response-policy" added "rpz-client-ip"
"response-policy" added "recursive-only yes|no"
"response-policy" added "max-policy-ttl"
--enable-rpz-nsip and --enable-rpz-nsdname now default for build
Now supports up to 32 RPZ zones.
automatic-interface-scan statement On systems with routing sockets BIND scans interfaces when they change.
prefetch statement By default BIND will now prefect caches entries up to 2 seconds before they expire. prefetch statement can control this behavior.
max-zone-ttl statement Master zones only. Fails to load a zone with higher TTLs. rndc will truncate TTL if higher.
disable-ds-digests statement by domain(s)
rate-limit statement Allows control over identical (and other) response rates. Logged to rate-limit category. Compiled in as standard.
max-rsa-exponent-size statement
EUI48 & EUI64 RRs
dscp option as well as port All statements that support port keyword allow dscp. DiffServ for traffic management
IPv4 & IPv6 listen Both (if available) now default to all interfaces.
zone-statistics 3 options yes (full), no (none), terse
zone statistics V3.0 New XML schema. New XSL stylesheet and JSON output allowing use of Google Chart
statistics no. of REFUSED responses
max-cache-size
max-acache-size
now allow over 4GB
ACLs allow definitions using MaxMind GeoIP
DNS64 AAAA record number of RRset synthesized
'map' zone file format Faster zone load format. Added directly via nmap(). masterfile-format statement support.
statistics stats for Stale RRsets
filter-aaaa-on-v6 similar to filter-aaaa-on-v4 (configure option --enable-filter-aaaa not on by default)
ECDSA spport US Govt. DSA using ECC crypto.
sdb API allows access to wire-format.
Release BIND9.9
Major Release Feature Notes
9.9 rrset-order defaults to random
empty zones suppress enabling/disabling
nsupdate "prereq" and "update" optional
zone raw format incompatible need raw0 to generate backward compatible raw zone format
named -U Argument allows max no of UDP listener threads per interface
dnssec-signzone -f prints to stdout, -O full prints single line per RR
dnssec-lookaside added option "no"
dig defaults to +adflag and +edns=0 normally, +dnssec defaulted when using dig +trace,
rndc querylog takes on/off (no longer a toggle)
rndc signing option (auto-dnssec zones only) where option may be
-clear
-list
-nsec3param
Remove rndc keydone
in-line signing all zone types 9.9.0b1+
9.9.0a3 RPZ logging channel added (rpz)
NO-OP renamed PASSTHRU
DISABLED override
request-ixfr operates at zone level
rndc flushtree new command
empty zones all RFC1918 reverse zones (enabled by empty-zones-enable statement)
nsupdate increment (default) or unixtime for handling zone sn
rndc thaw removes journal file if ixfr-from-differences is not currently active
dnssec-update-mode statement
also-notify uses same syntax as masters statement allowing TSIG key and use of masters clause
logging TSIG key-name added
dnssec-loadkeys-interval statement
--with-gssapi now default make option
dnssec-dsfromkey -f allows stdin which means input can be piped from other commands
dnssec-signzone -R removes signatures generated by a key which has been deleted/removed, -D only writes signed RRs, -X date allows RRSIG expiration date override
dnssec-key, dnssec-settime, dnssec-keyfromlabel -L argument sets TTL
dig dnssec output reformatted and comments made more verbose, +norrcomments supresses all comments
URI RR supported
redirect on NXDOMAIN new zone type definition
resolver-query-timeout statement default = 10 seconds, range 1 to 30 seconds
Release BIND9.8
Major Release Feature Notes
9.8 RPZ support (9.8.0b1+)
TSIG Keys dynamically generated (by GSSAPI) are maintained accross server reloads
dns64 statement DNS64 Forward and Reverse support
update-policy new external option
dnssec-validation auto; statement added trust anchor for root zone
GOST (crypto) support
named -V reports opnssl and libxml2 versions
tkey-gssapi-keytab statement may deprecate tkey-gssapi-credential in future
zone type static-sub supported
rndc loadkeys
dnssec-keygen, dnssec-settime -S argument added
allow-new-zones (yes|no) statement replaced new-zone-file statement
rndc delzone
rndc-addzone
dynamically add and delete zones (zones not added with rndc addzone cannot be deleted with rndc delzone
acl filter aaaa added
dig +onesoa suppress last SOA in AXFR
Release BIND9.7
Major Release Feature Notes
9.7.0rc1 check-dup-records statement controls removal of records which are different in DNSSEC but same in non-DNSSEC
dnssec-secure-to-insecure statement renamed (was secure-to-insecure)
ddnssec-dnskey-kskonly statement renamed (was dnskey-ksk-only)
filter-aaaa-on-v4 in view clause make option
9.7.0b3 minimal responses always returned if 512 UDP negotiated (not EDNS0)
log TCP queries
9.7.0b2 dnssec-keygen -q argument stops all progress output
filter-aaaa-on-v4 make option --enable-filter-aaaa
dnssec-keygen now displays progress markers to allow user to see lack of entropy
key-directory statement nows supports relative path
RSASHA256 & RSASHA512 Addition to DNSSEC crypto suite
9.7.0b1 dnskey-ksk-only statement (renamed dnskey-ksk-only in 0c1) uses only KSK to sign zone
dnssec-signzone -x argument allows zone signing with only KSK
dnssec-signzone -u argument controls NSEC to NSEC3
-E argument allows use of OpenSSL for crypto utilities with HSM
dig -k TSIG arguments from standard key clause format
dnssec-keygen, dnssec-settime -G and -I arguments control ready for use or Inactive key status


Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2024 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
hosted by javapipe.com
web-master at zytrax
Page modified: January 20 2022.