This list was started in BIND9.7 and documents features made available at each version, it is not exhaustive and excludes certain (IOHO) non-features. Clearly there are multiple reasons for any BIND release such as bugs, performance tuning etc. these are not covered in this list:
Bind 9 Features by Release (9.7 to 9.10)
Release BIND9.10 | ||
Major Release | Feature | Notes |
9.10 | Source Identity Token | Non-standard feature use --enable-sit in configure to build. SIT identified clients are not subject to rate-limit. Defined by draft-eastlake-dnsext-cookies-04.txt |
pkcs11 support | Configure option --enable-native-pkcs11 allows direct support of HSM devices which support full pkcs11 API without openssl. | |
named | Now preserves domain name case (at last - its in RFC 1035). This can be suppressed with a no-case-compress ACL setting. | |
rndc scan | Triggers interface scan manually - see automatic-interface-scan. | |
rndc -q | suppresses all but error messages | |
rndc signing -nsec3param | specifying auto will generate a random salt | |
rndc flushtree | flushes all references | |
rndc zonestatus | new command | |
rndc delzone -clean | removes zone files!! | |
rndc validation check | reports DNSSEC validation status | |
hmac-sha1, -sha224, -sha256, -sha384, and -sha512 | new options in rndc-confgen and rndc | |
dig +subnet | Non-standard feature (draft-vandergaast-edns-client-subnet-02.txt). Sends IP address/IP Prefix in EDNS CLIENT-SUBNET message. | |
dig +expire | Non-standard feature (draft-andrews-dnsext-expire-00.txt). Sends EDNS EXPIRE. | |
dig +nocrypto | Suppresses print on DNSSEC RRs | |
dig -u | time in microseconds (was milliseconds) | |
dig +nssearch | displays NS with no A or AAAA RRs or NS names is NXDOMAIN | |
BIND-DLZ | BIND-DLZ extension now supports multiple database and master and redirect types. | |
delv | New dig-like utility, primarily for DNSSEC validation. | |
dnssec-signzone | -Q argument removes signatures which use inactive keys. | |
dnssec-coverage | Python tool. New options -k and -z check coverage for KSK and ZSK and -l checks for duration. | |
named-rrchecker | Utility. Syntax check for each RR type | |
in-view zone | Allows zone definitions to be shared between views (explanation & example). | |
dnssec-checkds | Utility. Checks for requireed DS RR to be published to parent. Not installed without Python (3.0). | |
dnssec-verify | New utility. Verifies DNSSEC status. | |
dnssec-importkey | Utility to import externally generated DNSSEC key | |
tsig-keygen | Same as ddns-confgen -q | |
named-checkzone named-compilezone |
-J reads any journal file(s). Reads/write map format. | |
dnssec-keyfromlabel | Supports -S and -i flags (like dnssec-keygen). | |
logs SOA serial numbers when starting/loading zone | ||
response-policy "response-policy" added "min-ns-dots" (default 1) "response-policy" added "rpz-client-ip" "response-policy" added "recursive-only yes|no" "response-policy" added "max-policy-ttl" --enable-rpz-nsip and --enable-rpz-nsdname now default for build |
Now supports up to 32 RPZ zones. | |
automatic-interface-scan statement | On systems with routing sockets BIND scans interfaces when they change. | |
prefetch statement | By default BIND will now prefect caches entries up to 2 seconds before they expire. prefetch statement can control this behavior. | |
max-zone-ttl statement | Master zones only. Fails to load a zone with higher TTLs. rndc will truncate TTL if higher. | |
disable-ds-digests statement | by domain(s) | |
rate-limit statement | Allows control over identical (and other) response rates. Logged to rate-limit category. Compiled in as standard. | |
max-rsa-exponent-size statement | ||
EUI48 & EUI64 RRs | ||
dscp option as well as port | All statements that support port keyword allow dscp. DiffServ for traffic management | |
IPv4 & IPv6 listen | Both (if available) now default to all interfaces. | |
zone-statistics | 3 options yes (full), no (none), terse | |
zone statistics V3.0 | New XML schema. New XSL stylesheet and JSON output allowing use of Google Chart | |
statistics | no. of REFUSED responses | |
max-cache-size max-acache-size |
now allow over 4GB | |
ACLs | allow definitions using MaxMind GeoIP | |
DNS64 AAAA | record number of RRset synthesized | |
'map' zone file format | Faster zone load format. Added directly via nmap(). masterfile-format statement support. | |
statistics | stats for Stale RRsets | |
filter-aaaa-on-v6 | similar to filter-aaaa-on-v4 (configure option --enable-filter-aaaa not on by default) | |
ECDSA spport | US Govt. DSA using ECC crypto. | |
sdb API | allows access to wire-format. | |
Release BIND9.9 | ||
Major Release | Feature | Notes |
9.9 | rrset-order defaults to random | |
empty zones | suppress enabling/disabling | |
nsupdate | "prereq" and "update" optional | |
zone raw format incompatible | need raw0 to generate backward compatible raw zone format | |
named -U | Argument allows max no of UDP listener threads per interface | |
dnssec-signzone | -f prints to stdout, -O full prints single line per RR | |
dnssec-lookaside | added option "no" | |
dig | defaults to +adflag and +edns=0 normally, +dnssec defaulted when using dig +trace, | |
rndc querylog | takes on/off (no longer a toggle) | |
rndc signing option | (auto-dnssec zones only) where option may be -clear -list -nsec3param Remove rndc keydone |
|
in-line signing | all zone types 9.9.0b1+ | |
9.9.0a3 | RPZ | logging channel added (rpz) NO-OP renamed PASSTHRU DISABLED override |
request-ixfr | operates at zone level | |
rndc flushtree | new command | |
empty zones | all RFC1918 reverse zones (enabled by empty-zones-enable statement) | |
nsupdate | increment (default) or unixtime for handling zone sn | |
rndc thaw | removes journal file if ixfr-from-differences is not currently active | |
dnssec-update-mode statement | ||
also-notify | uses same syntax as masters statement allowing TSIG key and use of masters clause | |
logging | TSIG key-name added | |
dnssec-loadkeys-interval statement | ||
--with-gssapi | now default make option | |
dnssec-dsfromkey | -f allows stdin which means input can be piped from other commands | |
dnssec-signzone | -R removes signatures generated by a key which has been deleted/removed, -D only writes signed RRs, -X date allows RRSIG expiration date override | |
dnssec-key, dnssec-settime, dnssec-keyfromlabel | -L argument sets TTL | |
dig | dnssec output reformatted and comments made more verbose, +norrcomments supresses all comments | |
URI RR supported | ||
redirect on NXDOMAIN | new zone type definition | |
resolver-query-timeout statement | default = 10 seconds, range 1 to 30 seconds | |
Release BIND9.8 | ||
Major Release | Feature | Notes |
9.8 | RPZ support | (9.8.0b1+) |
TSIG Keys | dynamically generated (by GSSAPI) are maintained accross server reloads | |
dns64 statement | DNS64 Forward and Reverse support | |
update-policy | new external option | |
dnssec-validation auto; statement | added trust anchor for root zone | |
GOST (crypto) support | ||
named -V | reports opnssl and libxml2 versions | |
tkey-gssapi-keytab statement | may deprecate tkey-gssapi-credential in future | |
zone type static-sub supported | ||
rndc loadkeys | ||
dnssec-keygen, dnssec-settime | -S argument added | |
allow-new-zones (yes|no) statement | replaced new-zone-file statement | |
rndc delzone rndc-addzone |
dynamically add and delete zones (zones not added with rndc addzone cannot be deleted with rndc delzone | |
acl filter aaaa added | ||
dig +onesoa | suppress last SOA in AXFR | |
Release BIND9.7 | ||
Major Release | Feature | Notes |
9.7.0rc1 | check-dup-records statement | controls removal of records which are different in DNSSEC but same in non-DNSSEC |
dnssec-secure-to-insecure statement | renamed (was secure-to-insecure) | |
ddnssec-dnskey-kskonly statement | renamed (was dnskey-ksk-only) | |
filter-aaaa-on-v4 in view clause | make option | |
9.7.0b3 | minimal responses | always returned if 512 UDP negotiated (not EDNS0) |
log TCP queries | ||
9.7.0b2 | dnssec-keygen | -q argument stops all progress output |
filter-aaaa-on-v4 | make option --enable-filter-aaaa | |
dnssec-keygen | now displays progress markers to allow user to see lack of entropy | |
key-directory statement | nows supports relative path | |
RSASHA256 & RSASHA512 | Addition to DNSSEC crypto suite | |
9.7.0b1 | dnskey-ksk-only statement | (renamed dnskey-ksk-only in 0c1) uses only KSK to sign zone |
dnssec-signzone | -x argument allows zone signing with only KSK | |
dnssec-signzone | -u argument controls NSEC to NSEC3 | |
-E argument | allows use of OpenSSL for crypto utilities with HSM | |
dig -k | TSIG arguments from standard key clause format | |
dnssec-keygen, dnssec-settime | -G and -I arguments control ready for use or Inactive key status |
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
Contents
tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log
This work is licensed under a
Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox
Search
Share
Page
Resources
Systems
FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux
Software
LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns
Organizations
Open Source Initiative
Creative Commons
Misc.
Ibiblio - Library
Open Book Project
Open Directory
Wikipedia
Site
Copyright © 1994 - 2024 ZyTrax, Inc. All rights reserved. Legal and Privacy |
site by zytrax hosted by javapipe.com |
web-master at zytrax Page modified: January 20 2022. |