This list was started in BIND9.7 and documents features made available at each version, it is not exhaustive and excludes certain (IOHO) non-features. Clearly there are multiple reasons for any BIND release such as bugs, performance tuning etc. these are not covered in this list:
| Release BIND9.10 |
| Major Release |
Feature |
Notes |
| 9.10 |
Source Identity Token |
Non-standard feature use --enable-sit in configure to build. SIT identified clients are not subject to rate-limit. Defined by draft-eastlake-dnsext-cookies-04.txt |
|
pkcs11 support |
Configure option --enable-native-pkcs11 allows direct support of HSM devices which support full pkcs11 API without openssl. |
|
named |
Now preserves domain name case (at last - its in RFC 1035). This can be suppressed with a no-case-compress ACL setting. |
|
rndc scan |
Triggers interface scan manually - see automatic-interface-scan. |
|
rndc -q |
suppresses all but error messages |
|
rndc signing -nsec3param |
specifying auto will generate a random salt |
|
rndc flushtree |
flushes all references |
|
rndc zonestatus |
new command |
|
rndc delzone -clean |
removes zone files!! |
|
rndc validation check |
reports DNSSEC validation status |
|
hmac-sha1, -sha224, -sha256, -sha384, and -sha512 |
new options in rndc-confgen and rndc |
|
dig +subnet |
Non-standard feature (draft-vandergaast-edns-client-subnet-02.txt). Sends IP address/IP Prefix in EDNS CLIENT-SUBNET message. |
|
dig +expire |
Non-standard feature (draft-andrews-dnsext-expire-00.txt). Sends EDNS EXPIRE. |
|
dig +nocrypto |
Suppresses print on DNSSEC RRs |
|
dig -u |
time in microseconds (was milliseconds) |
|
dig +nssearch |
displays NS with no A or AAAA RRs or NS names is NXDOMAIN |
|
BIND-DLZ |
BIND-DLZ extension now supports multiple database and master and redirect types. |
|
delv |
New dig-like utility, primarily for DNSSEC validation. |
|
dnssec-signzone |
-Q argument removes signatures which use inactive keys. |
|
dnssec-coverage |
Python tool. New options -k and -z check coverage for KSK and ZSK and -l checks for duration. |
|
named-rrchecker |
Utility. Syntax check for each RR type |
|
in-view zone |
Allows zone definitions to be shared between views (explanation & example). |
|
dnssec-checkds |
Utility. Checks for requireed DS RR to be published to parent. Not installed without Python (3.0). |
|
dnssec-verify |
New utility. Verifies DNSSEC status. |
|
dnssec-importkey |
Utility to import externally generated DNSSEC key |
|
tsig-keygen |
Same as ddns-confgen -q |
|
named-checkzone
named-compilezone |
-J reads any journal file(s). Reads/write map format. |
|
dnssec-keyfromlabel |
Supports -S and -i flags (like dnssec-keygen). |
|
logs SOA serial numbers when starting/loading zone |
|
|
response-policy
"response-policy" added "min-ns-dots" (default 1)
"response-policy" added "rpz-client-ip"
"response-policy" added "recursive-only yes|no"
"response-policy" added "max-policy-ttl"
--enable-rpz-nsip and --enable-rpz-nsdname now default for build |
Now supports up to 32 RPZ zones. |
|
automatic-interface-scan statement |
On systems with routing sockets BIND scans interfaces when they change. |
|
prefetch statement |
By default BIND will now prefect caches entries up to 2 seconds before they expire. prefetch statement can control this behavior. |
|
max-zone-ttl statement |
Master zones only. Fails to load a zone with higher TTLs. rndc will truncate TTL if higher. |
|
disable-ds-digests statement |
by domain(s) |
|
rate-limit statement |
Allows control over identical (and other) response rates. Logged to rate-limit category. Compiled in as standard. |
|
max-rsa-exponent-size statement |
|
|
EUI48 & EUI64 RRs |
|
|
dscp option as well as port |
All statements that support port keyword allow dscp. DiffServ for traffic management |
|
IPv4 & IPv6 listen |
Both (if available) now default to all interfaces. |
|
zone-statistics |
3 options yes (full), no (none), terse |
|
zone statistics V3.0 |
New XML schema. New XSL stylesheet and JSON output allowing use of Google Chart |
|
statistics |
no. of REFUSED responses |
|
max-cache-size
max-acache-size |
now allow over 4GB |
|
ACLs |
allow definitions using MaxMind GeoIP |
|
DNS64 AAAA |
record number of RRset synthesized |
|
'map' zone file format |
Faster zone load format. Added directly via nmap(). masterfile-format statement support. |
|
statistics |
stats for Stale RRsets |
|
filter-aaaa-on-v6 |
similar to filter-aaaa-on-v4 (configure option --enable-filter-aaaa not on by default) |
|
ECDSA spport |
US Govt. DSA using ECC crypto. |
|
sdb API |
allows access to wire-format. |
| Release BIND9.9 |
| Major Release |
Feature |
Notes |
| 9.9 |
rrset-order defaults to random |
|
|
empty zones |
suppress enabling/disabling |
|
nsupdate |
"prereq" and "update" optional |
|
zone raw format incompatible |
need raw0 to generate backward compatible raw zone format |
|
named -U |
Argument allows max no of UDP listener threads per interface |
|
dnssec-signzone |
-f prints to stdout, -O full prints single line per RR |
|
dnssec-lookaside |
added option "no" |
|
dig |
defaults to +adflag and +edns=0 normally, +dnssec defaulted when using dig +trace, |
|
rndc querylog |
takes on/off (no longer a toggle) |
|
rndc signing option |
(auto-dnssec zones only) where option may be
-clear
-list
-nsec3param
Remove rndc keydone |
|
in-line signing |
all zone types 9.9.0b1+ |
| 9.9.0a3 |
RPZ |
logging channel added (rpz)
NO-OP renamed PASSTHRU
DISABLED override |
|
request-ixfr |
operates at zone level |
|
rndc flushtree |
new command |
|
empty zones |
all RFC1918 reverse zones (enabled by empty-zones-enable statement) |
|
nsupdate |
increment (default) or unixtime for handling zone sn |
|
rndc thaw |
removes journal file if ixfr-from-differences is not currently active |
|
dnssec-update-mode statement |
|
|
also-notify |
uses same syntax as masters statement allowing TSIG key and use of masters clause |
|
logging |
TSIG key-name added |
|
dnssec-loadkeys-interval statement |
|
|
--with-gssapi |
now default make option |
|
dnssec-dsfromkey |
-f allows stdin which means input can be piped from other commands |
|
dnssec-signzone |
-R removes signatures generated by a key which has been deleted/removed, -D only writes signed RRs, -X date allows RRSIG expiration date override |
|
dnssec-key, dnssec-settime, dnssec-keyfromlabel |
-L argument sets TTL |
|
dig |
dnssec output reformatted and comments made more verbose, +norrcomments supresses all comments |
|
URI RR supported |
|
|
redirect on NXDOMAIN |
new zone type definition |
|
resolver-query-timeout statement |
default = 10 seconds, range 1 to 30 seconds |
| Release BIND9.8 |
| Major Release |
Feature |
Notes |
| 9.8 |
RPZ support |
(9.8.0b1+) |
|
TSIG Keys |
dynamically generated (by GSSAPI) are maintained accross server reloads |
|
dns64 statement |
DNS64 Forward and Reverse support |
|
update-policy |
new external option |
|
dnssec-validation auto; statement |
added trust anchor for root zone |
|
GOST (crypto) support |
|
|
named -V |
reports opnssl and libxml2 versions |
|
tkey-gssapi-keytab statement |
may deprecate tkey-gssapi-credential in future |
|
zone type static-sub supported |
|
|
rndc loadkeys |
|
|
dnssec-keygen, dnssec-settime |
-S argument added |
|
allow-new-zones (yes|no) statement |
replaced new-zone-file statement |
|
rndc delzone
rndc-addzone |
dynamically add and delete zones (zones not added with rndc addzone cannot be deleted with rndc delzone |
|
acl filter aaaa added |
|
|
dig +onesoa |
suppress last SOA in AXFR |
| Release BIND9.7 |
| Major Release |
Feature |
Notes |
| 9.7.0rc1 |
check-dup-records statement |
controls removal of records which are different in DNSSEC but same in non-DNSSEC |
|
dnssec-secure-to-insecure statement |
renamed (was secure-to-insecure) |
|
ddnssec-dnskey-kskonly statement |
renamed (was dnskey-ksk-only) |
|
filter-aaaa-on-v4 in view clause |
make option |
| 9.7.0b3 |
minimal responses |
always returned if 512 UDP negotiated (not EDNS0) |
|
log TCP queries |
|
| 9.7.0b2 |
dnssec-keygen |
-q argument stops all progress output |
|
filter-aaaa-on-v4 |
make option --enable-filter-aaaa |
|
dnssec-keygen |
now displays progress markers to allow user to see lack of entropy |
|
key-directory statement |
nows supports relative path |
|
RSASHA256 & RSASHA512 |
Addition to DNSSEC crypto suite |
| 9.7.0b1 |
dnskey-ksk-only statement |
(renamed dnskey-ksk-only in 0c1) uses only KSK to sign zone |
|
dnssec-signzone |
-x argument allows zone signing with only KSK |
|
dnssec-signzone |
-u argument controls NSEC to NSEC3 |
|
-E argument |
allows use of OpenSSL for crypto utilities with HSM |
|
dig -k |
TSIG arguments from standard key clause format |
|
dnssec-keygen, dnssec-settime |
-G and -I arguments control ready for use or Inactive key status |
