BIND 9.21+/9.22: parent-centric delegations and no TTL-based cleaning

Wed Apr 8 15:58:19 UTC 2026

Hi,

I would like to bring your attention to the changes that has landed in the latest development version of BIND 9.21 and that will
be present in BIND 9.22 (to be released later this year).

The first major change is that, BIND 9 is switching to a parent-centric model of delegations. This means that only the NS records
(and possibly DELEG records when IETF has done the work) from the parent domain will be considered when looking up the
nameservers for the child domain. The NS records in the child domain will be treated as normal DNS records and returned
as authoritative data, but they will no longer overwrite the delegation data for the domain. If you want to delve into the technical
details and reasoning behind the change, you are most welcome to read the Internet Draft I've submitted to IETF and possibly
also express interest in the draft in the dnsop wg:

https://datatracker.ietf.org/doc/draft-sury-dnsop-parent-centric-resolver/

The second major change is that the DNS resolver cache will only do opportunistic TTL cleaning and LRU cleaning. The opportunistic
TTL-cleaning means that if the cache is asked for an already expired record it will expunge the records and possibly cache the new
data as needed. The LRU[1] cleaning is triggered only when the cache is nearing the configured memory. The positive effect is simpler
code and less work to do during the cache-misses as there's no heap (priority queue) to reorder. However, to a casual system
administrator this will manifest as a steady increase of memory use until named reaches to configured (max-cache-size) limit.
Our experiments show that named behaves well even with smaller cache sizes, and you might want to experiment with smaller
cache sizes (512M - 1GB) to see if they work well for you. The reasoning behind this change is quite simple - the TTL-based cleaning
is just a band-aid - it pretends to work until the DNS resolver is under attack. A determined attacker can then fill your cache with
various records and when the cache is under memory pressure the TTL-based cleaning is just a nuisance. Because of that, we've
improved the LRU-cleaning that gets triggered under memory pressure and there's simply no reason to keep the both algorithms
in place.

You are most welcome to test the 9.21.21 release that contains both of the changes and report any issues you've encountered
to our GitLab issue tracker or simply here.

1. Least Recent Used - but the actual implementation in BIND 9 is SIEVE-LRU, you can read more about the algorithm in our
blog post: https://www.isc.org/blogs/2025-sieve/

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply!

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.