Bind9 Features by Version

From: https://www.zytrax.com/books/dns/ch7/bind9-features.html


BIND9 - Features by Version
This list was started in BIND9.7 and documents features made available at
each version, it is not exhaustive and excludes certain (IOHO) non
-features.
Clearly there are multiple reasons for any BIND release such as bugs,
performance tuning etc. these are not covered in this list:

Bind 9 Features by Release (9.7 to 9.10)


	Release BIND9.10

	Major Release
	 Feature
	 Notes

	9.10 Source Identity Token Non-standard feature use --enable-sit
in configure to build. SIT identified clients are not subject to rate-limit.
Defined by draft-eastlake-dnsext-cookies-04.txt

	 pkcs11 support Configure option --enable-native-pkcs11 allows direct
support of HSM devices which support full pkcs11 API without openssl.
named Now preserves domain name case (at last - its in RFC 1035). This
can be suppressed with a no-case-compress ACL setting.
rndc scan Triggers interface scan manually - see automatic-interface
-scan.
rndc -q suppresses all but error messages
rndc signing -nsec3param specifying auto will generate a random salt
rndc flushtree flushes all references
rndc zonestatus new command
rndc delzone -clean removes zone files!!
rndc validation check reports DNSSEC validation status
hmac-sha1, -sha224, -sha256, -sha384, and -sha512 new options in rndc
-confgen and rndc
dig +subnet Non-standard feature (draft-vandergaast-edns-client-subnet
-02.txt). Sends IP address/IP Prefix in EDNS CLIENT-SUBNET message.
dig +expire Non-standard feature (draft-andrews-dnsext-expire-00.txt).
Sends EDNS EXPIRE.
dig +nocrypto Suppresses print on DNSSEC RRs
dig -u time in microseconds (was milliseconds)
dig +nssearch displays NS with no A or AAAA RRs or NS names is NXDOMAIN

BIND-DLZ BIND-DLZ extension now supports multiple database and master
and redirect types.
delv New dig-like utility, primarily for DNSSEC validation.
dnssec-signzone -Q argument removes signatures which use inactive keys.
dnssec-coverage Python tool. New options -k and -z check coverage for
KSK and ZSK and -l checks for duration.
named-rrchecker Utility. Syntax check for each RR type
in-view zone Allows zone definitions to be shared between views
(explanation & example).
dnssec-checkds Utility. Checks for requireed DS RR to be published to
parent. Not installed without Python (3.0).
dnssec-verify New utility. Verifies DNSSEC status.
dnssec-importkey Utility to import externally generated DNSSEC key
tsig-keygen Same as ddns-confgen -q
named-checkzone
named-compilezone -J reads any journal file(s). Reads/write map format.
dnssec-keyfromlabel Supports -S and -i flags (like dnssec-keygen).
logs SOA serial numbers when starting/loading zone 
response-policy
"response-policy" added "min-ns-dots" (default 1)
"response-policy" added "rpz-client-ip"
"response-policy" added "recursive-only yes|no"
"response-policy" added "max-policy-ttl"
--enable-rpz-nsip and --enable-rpz-nsdname now default for build 
Now supports up to 32 RPZ zones.
automatic-interface-scan statement On systems with routing sockets BIND
scans interfaces when they change.
prefetch statement By default BIND will now prefect caches entries up
to
2 seconds before they expire. prefetch statement can control this behavior.
max-zone-ttl statement Master zones only. Fails to load a zone with
higher TTLs. rndc will truncate TTL if higher.
disable-ds-digests statement by domain(s)
rate-limit statement Allows control over identical (and other) response
rates. Logged to rate-limit category. Compiled in as standard.
max-rsa-exponent-size statement 
EUI48 & EUI64 RRs 
dscp option as well as port All statements that support port keyword
allow dscp. DiffServ for traffic management
IPv4 & IPv6 listen Both (if available) now default to all interfaces.
zone-statistics 3 options yes (full), no (none), terse
zone statistics V3.0 New XML schema. New XSL stylesheet and JSON output
allowing use of Google Chart
statistics no. of REFUSED responses
max-cache-size
max-acache-size now allow over 4GB
ACLs allow definitions using MaxMind GeoIP
DNS64 AAAA record number of RRset synthesized
'map' zone file format Faster zone load format. Added directly via
nmap(). masterfile-format statement support.
statistics stats for Stale RRsets
filter-aaaa-on-v6 similar to filter-aaaa-on-v4 (configure option -
-enable-filter-aaaa not on by default)
ECDSA spport US Govt. DSA using ECC crypto.
sdb API allows access to wire-format.


	Release BIND9.9

Major Release
Feature
Notes
9.9 rrset-order defaults to random 
empty zones suppress enabling/disabling
nsupdate "prereq" and "update" optional
zone raw format incompatible need raw0 to generate backward compatible
raw zone format
named -U Argument allows max no of UDP listener threads per interface
dnssec-signzone -f prints to stdout, -O full prints single line per RR
dnssec-lookaside added option "no"
dig defaults to +adflag and +edns=0 normally, +dnssec defaulted when
using dig +trace,
rndc querylog takes on/off (no longer a toggle)
rndc signing option (auto-dnssec zones only) where option may be
-clear
-list
-nsec3param
Remove rndc keydone
in-line signing all zone types 9.9.0b1+
9.9.0a3 RPZ logging channel added (rpz)
NO-OP renamed PASSTHRU
DISABLED override
request-ixfr operates at zone level
rndc flushtree new command
empty zones all RFC1918 reverse zones (enabled by empty-zones-enable
statement)
nsupdate increment (default) or unixtime for handling zone sn
rndc thaw removes journal file if ixfr-from-differences is not
currently
active
dnssec-update-mode statement 
also-notify uses same syntax as masters statement allowing TSIG key and
use of masters clause
logging TSIG key-name added
dnssec-loadkeys-interval statement 
--with-gssapi now default make option
dnssec-dsfromkey -f allows stdin which means input can be piped from
other commands
dnssec-signzone -R removes signatures generated by a key which has been
deleted/removed, -D only writes signed RRs, -X date allows RRSIG expiration
date override
dnssec-key, dnssec-settime, dnssec-keyfromlabel -L argument sets TTL
dig dnssec output reformatted and comments made more verbose,
+norrcomments supresses all comments
URI RR supported 
redirect on NXDOMAIN new zone type definition
resolver-query-timeout statement default = 10 seconds, range 1 to 30
seconds


	Release BIND9.8

	Major Release 
	 Feature 
	 Notes
9.8 RPZ support (9.8.0b1+)
TSIG Keys dynamically generated (by GSSAPI) are maintained accross
server reloads
dns64 statement DNS64 Forward and Reverse support
update-policy new external option
dnssec-validation auto; statement added trust anchor for root zone
GOST (crypto) support 
named -V reports opnssl and libxml2 versions
tkey-gssapi-keytab statement may deprecate tkey-gssapi-credential in
future
zone type static-sub supported 
rndc loadkeys 
dnssec-keygen, dnssec-settime -S argument added
allow-new-zones (yes|no) statement replaced new-zone-file statement
rndc delzone
rndc-addzone dynamically add and delete zones (zones not added with rndc
addzone cannot be deleted with rndc delzone
acl filter aaaa added 
dig +onesoa suppress last SOA in AXFR

Release BIND9.7
Major Release Feature 
Notes
9.7.0rc1 check-dup-records statement controls removal of records which
are different in DNSSEC but same in non-DNSSEC
dnssec-secure-to-insecure statement renamed (was secure-to-insecure)
ddnssec-dnskey-kskonly statement renamed (was dnskey-ksk-only)
filter-aaaa-on-v4 in view clause make option
9.7.0b3 minimal responses always returned if 512 UDP negotiated (not
EDNS0)
log TCP queries 
9.7.0b2 dnssec-keygen -q argument stops all progress output
filter-aaaa-on-v4 make option --enable-filter-aaaa
dnssec-keygen now displays progress markers to allow user to see lack
of
entropy
key-directory statement nows supports relative path
RSASHA256 & RSASHA512 Addition to DNSSEC crypto suite
9.7.0b1 dnskey-ksk-only statement (renamed dnskey-ksk-only in 0c1) uses
only KSK to sign zone
dnssec-signzone -x argument allows zone signing with only KSK
dnssec-signzone -u argument controls NSEC to NSEC3
-E argument allows use of OpenSSL for crypto utilities with HSM
dig -k TSIG arguments from standard key clause format
dnssec-keygen, dnssec-settime -G and -I arguments control ready for use
or Inactive key status

Major Release	Feature	Notes
Release BIND9.10
9.10	Source Identity Token	Non-standard feature use --enable-sit in configure to build. SIT identified clients are not subject to rate-limit. Defined by draft-eastlake-dnsext-cookies-04.txt
	pkcs11 support	Configure option --enable-native-pkcs11 allows direct support of HSM devices which support full pkcs11 API without openssl.
	named	Now preserves domain name case (at last - its in RFC 1035). This can be suppressed with a no-case-compress ACL setting.
	rndc scan	Triggers interface scan manually - see automatic-interface -scan.
	rndc -q	suppresses all but error messages
	rndc signing -nsec3param	specifying auto will generate a random salt
	rndc flushtree	flushes all references
	rndc zonestatus	new command
	rndc delzone -clean	removes zone files!!
	rndc validation check	reports DNSSEC validation status
	hmac-sha1, -sha224, -sha256, -sha384, and -sha512	new options in rndc -confgen and rndc
	dig +subnet	Non-standard feature (draft-vandergaast-edns-client-subnet -02.txt). Sends IP address/IP Prefix in EDNS CLIENT-SUBNET message.
	dig +expire	Non-standard feature (draft-andrews-dnsext-expire-00.txt). Sends EDNS EXPIRE.
	dig +nocrypto	Suppresses print on DNSSEC RRs
	dig -u	time in microseconds (was milliseconds)
	dig +nssearch	displays NS with no A or AAAA RRs or NS names is NXDOMAIN
	BIND-DLZ	BIND-DLZ extension now supports multiple database and master and redirect types.
	delv	New dig-like utility, primarily for DNSSEC validation.
	dnssec-signzone	-Q argument removes signatures which use inactive keys.
	dnssec-coverage	Python tool. New options -k and -z check coverage for KSK and ZSK and -l checks for duration.
	named-rrchecker	Utility. Syntax check for each RR type
	in-view zone	Allows zone definitions to be shared between views (explanation & example).
	dnssec-checkds	Utility. Checks for requireed DS RR to be published to parent. Not installed without Python (3.0).
	dnssec-verify	New utility. Verifies DNSSEC status.
	dnssec-importkey	Utility to import externally generated DNSSEC key
	tsig-keygen	Same as ddns-confgen -q
	named-checkzone named-compilezone	-J reads any journal file(s). Reads/write map format.
	dnssec-keyfromlabel	Supports -S and -i flags (like dnssec-keygen).
	logs SOA serial numbers when starting/loading zone
	response-policy "response-policy" added "min-ns-dots" (default 1) "response-policy" added "rpz-client-ip" "response-policy" added "recursive-only yes\|no" "response-policy" added "max-policy-ttl" --enable-rpz-nsip and --enable-rpz-nsdname now default for build	Now supports up to 32 RPZ zones.
	automatic-interface-scan statement	On systems with routing sockets BIND scans interfaces when they change.
	prefetch statement	By default BIND will now prefect caches entries up to 2 seconds before they expire. prefetch statement can control this behavior.
	max-zone-ttl statement	Master zones only. Fails to load a zone with higher TTLs. rndc will truncate TTL if higher.
	disable-ds-digests statement	by domain(s)
	rate-limit statement	Allows control over identical (and other) response rates. Logged to rate-limit category. Compiled in as standard.
	max-rsa-exponent-size statement
	EUI48 & EUI64 RRs
	dscp option as well as port	All statements that support port keyword allow dscp. DiffServ for traffic management
	IPv4 & IPv6 listen	Both (if available) now default to all interfaces.
	zone-statistics	3 options yes (full), no (none), terse
	zone statistics V3.0	New XML schema. New XSL stylesheet and JSON output allowing use of Google Chart
	statistics	no. of REFUSED responses
	max-cache-size max-acache-size	now allow over 4GB
	ACLs	allow definitions using MaxMind GeoIP
	DNS64 AAAA	record number of RRset synthesized
	'map' zone file format	Faster zone load format. Added directly via nmap(). masterfile-format statement support.
	statistics	stats for Stale RRsets
	filter-aaaa-on-v6	similar to filter-aaaa-on-v4 (configure option - -enable-filter-aaaa not on by default)
	ECDSA spport	US Govt. DSA using ECC crypto.
	sdb API	allows access to wire-format.
Release BIND9.9
Major Release	Feature	Notes
9.9	rrset-order defaults to random
	empty zones	suppress enabling/disabling
	nsupdate	"prereq" and "update" optional
	zone raw format incompatible	need raw0 to generate backward compatible raw zone format
	named -U	Argument allows max no of UDP listener threads per interface
	dnssec-signzone	-f prints to stdout, -O full prints single line per RR
	dnssec-lookaside	added option "no"
	dig	defaults to +adflag and +edns=0 normally, +dnssec defaulted when using dig +trace,
	rndc querylog	takes on/off (no longer a toggle)
	rndc signing option	(auto-dnssec zones only) where option may be -clear -list -nsec3param Remove rndc keydone
	in-line signing	all zone types 9.9.0b1+
9.9.0a3	RPZ	logging channel added (rpz) NO-OP renamed PASSTHRU DISABLED override
	request-ixfr	operates at zone level
	rndc flushtree	new command
	empty zones	all RFC1918 reverse zones (enabled by empty-zones-enable statement)
	nsupdate	increment (default) or unixtime for handling zone sn
	rndc thaw	removes journal file if ixfr-from-differences is not currently active
	dnssec-update-mode statement
	also-notify	uses same syntax as masters statement allowing TSIG key and use of masters clause
	logging	TSIG key-name added
	dnssec-loadkeys-interval statement
	--with-gssapi	now default make option
	dnssec-dsfromkey	-f allows stdin which means input can be piped from other commands
	dnssec-signzone	-R removes signatures generated by a key which has been deleted/removed, -D only writes signed RRs, -X date allows RRSIG expiration date override
	dnssec-key, dnssec-settime, dnssec-keyfromlabel	-L argument sets TTL
	dig	dnssec output reformatted and comments made more verbose, +norrcomments supresses all comments
	URI RR supported
	redirect on NXDOMAIN	new zone type definition
	resolver-query-timeout statement	default = 10 seconds, range 1 to 30 seconds
Release BIND9.8
Major Release	Feature	Notes
9.8	RPZ support	(9.8.0b1+)
	TSIG Keys	dynamically generated (by GSSAPI) are maintained accross server reloads
	dns64 statement	DNS64 Forward and Reverse support
	update-policy	new external option
	dnssec-validation auto; statement	added trust anchor for root zone
	GOST (crypto) support
	named -V	reports opnssl and libxml2 versions
	tkey-gssapi-keytab statement	may deprecate tkey-gssapi-credential in future
	zone type static-sub supported
	rndc loadkeys
	dnssec-keygen, dnssec-settime	-S argument added
	allow-new-zones (yes\|no) statement	replaced new-zone-file statement
	rndc delzone rndc-addzone	dynamically add and delete zones (zones not added with rndc addzone cannot be deleted with rndc delzone
	acl filter aaaa added
	dig +onesoa	suppress last SOA in AXFR
Release BIND9.7
Major Release	Feature	Notes
9.7.0rc1	check-dup-records statement	controls removal of records which are different in DNSSEC but same in non-DNSSEC
	dnssec-secure-to-insecure statement	renamed (was secure-to-insecure)
	ddnssec-dnskey-kskonly statement	renamed (was dnskey-ksk-only)
	filter-aaaa-on-v4 in view clause	make option
9.7.0b3	minimal responses	always returned if 512 UDP negotiated (not EDNS0)
	log TCP queries
9.7.0b2	dnssec-keygen	-q argument stops all progress output
	filter-aaaa-on-v4	make option --enable-filter-aaaa
	dnssec-keygen	now displays progress markers to allow user to see lack of entropy
	key-directory statement	nows supports relative path
	RSASHA256 & RSASHA512	Addition to DNSSEC crypto suite
9.7.0b1	dnskey-ksk-only statement	(renamed dnskey-ksk-only in 0c1) uses only KSK to sign zone
	dnssec-signzone	-x argument allows zone signing with only KSK
	dnssec-signzone	-u argument controls NSEC to NSEC3
	-E argument	allows use of OpenSSL for crypto utilities with HSM
	dig -k	TSIG arguments from standard key clause format
	dnssec-keygen, dnssec-settime	-G and -I arguments control ready for use or Inactive key status