ISC BIND early availability: 9.11.0a1

Evan Hunt each at
Thu Mar 24 20:16:30 UTC 2016

The following BIND 9 release is now available for download at

     - BIND 9.11.0a1

If no problems are reported, this release will be signed and published
at and

This is the first alpha release for BIND 9.11.  It includes the
following new features:

    - Added support for "dnstap", a fast and flexible method of
      capturing and logging DNS traffic.
    - Added support for "dyndb", a new API for loading zone data
      from an external database, developed by Red Hat for the FreeIPA
    - The new "rndc nta" command can be used to set a Negative
      Trust Anchor (NTA), disabling DNSSEC validation for a
      specific domain; this can be used when responses from a
      domain are known to be failing validation due to administrative
      error rather than because of a spoofing attack.  Negative
      trust anchors are strictly temporary; by default they expire
      after one hour, but can be configured to last up to one week.
    - New "fetchlimit" quotas are now available for the use of
      recursive resolvers that are are under high query load for
      domains whose authoritative servers are nonresponsive or are
      experiencing a denial of service attack:
      + "fetches-per-server" limits the number of simultaneous queries
	that can be sent to any single authoritative server.  The
	configured value is a starting point; it is automatically
	adjusted downward if the server is partially or completely
	non-responsive. The algorithm used to adjust the quota can be
	configured via the "fetch-quota-params" option.
      + "fetches-per-zone" limits the number of simultaneous queries
	that can be sent for names within a single domain.  (Note:
	Unlike "fetches-per-server", this value is not self-tuning.)
      + New stats counters have been added to count
	queries spilled due to these quotas.
    - The experimental "SIT" feature in BIND 9.10 has been renamed
      "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
      enabling clients to detect off-path spoofed responses, and
      servers to detect spoofed-source queries.  Clients that identify
      themselves using COOKIE options are not subject to response rate
      limiting (RRL) and can receive larger UDP responses.
    - SERVFAIL responses can now be cached for a limited time
      (defaulting to 1 second, with an upper limit of 30).
      This can reduce the frequency of retries when a query is
      persistently failing.
    - The "controls" block in named.conf can now grant read-only
      "rndc" access to specified clients or keys. Read-only clients
      could, for example, check "rndc status" but could not
      reconfigure or shut down the server.
    - "rndc" commands can now return arbitrarily large amounts of
      text to the caller.
    - The zone serial number of a dynamically updatable zone
      can now be set via "rndc signing -serial <number> <zonename>".
      This allows inline-signing zones to be set to a specific
      serial number.
    - "rndc delzone" can now be used on zones that were not originally
      created by "rndc addzone".
    - "rndc modzone" reconfigures a single zone, without requiring
      the entire server to be reconfigured.
    - "rndc showzone" displays the current configuration of a zone.
    - "rndc managed-keys" can be used to check the status of RFC 5001
      managed trust anchors, or to force trust anchors to be refreshed.
    - "max-cache-size" can now be set to a percentage of available
      memory. The default is 90%.
    - Update forwarding performance has been improved by allowing
      a single TCP connection to be shared by multiple updates.
    - The EDNS Client Subnet (ECS) option is now supported for
      authoritative servers; if a query contains an ECS option
      then ACLs containing "geoip" or "ecs" elements can match
      against the the address encoded in the option.  This can be
      used to select a view for a query, so that different answers
      can be provided depending on the client network.
    - The EDNS EXPIRE option has been implemented on the client
      side, allowing a slave server to set the expiration timer
      correctly when transferring zone data from another slave
    - The key generation and manipulation tools (dnssec-keygen,
      dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
      take "-Psync" and "-Dsync" options to set the publication
      and deletion times of CDS and CDNSKEY parent-synchronization
      records.  Both named and dnssec-signzone can now publish and
      remove these records at the scheduled times.
    - A new "masterfile-style" zone option controls the formatting
      of text zone files:  When set to "full", a zone file is dumped
      in single-line-per-record format.
    - "serial-update-method" can now be set to "date". On update,
      the serial number will be set to the current date in YYYYMMDDNN
    - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
    - "named -L <filename>" causes named to send log messages to
       the specified file by default instead of to the system log.
    - "dig +ttlunits" prints TTL values with time-unit suffixes:
      w, d, h, m, s for weeks, days, hours, minutes, and seconds.
    - "dig +unknownformat" prints dig output in RFC 3597 "unknown
      record" presentation format.
    - "dig +ednsopt" allows dig to set arbitrary EDNS options on
    - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
      flags on requests.
    - "mdig" is an alternate version of dig which sends multiple
      pipelined TCP queries to a server.  Instead of waiting for a
      response after sending a query, it sends all queries
      immediately and displays responses in the order received.
    - "serial-query-rate" no longer controls NOTIFY messages.
      These are separately controlled by "notify-rate" and
    - "nsupdate" now performs "check-names" processing by default
      on records to be added.  This can be disabled with
      "check-names no;".
    - The statistics channel now supports DEFLATE compression,
      reducing the size of the data sent over the network when
      querying statistics.
    - New counters have been added to the statistics channel
      to track the sizes of incoming queries and outgoing responses in
      histogram buckets, as specified in RSSAC002.
    - A new NXDOMAIN redirect method (option "nxdomain-redirect")
      has been added, allowing redirection to a specified DNS
      namespace instead of a single redirect zone.
    - When starting up, named now ensures that no other named
      process is already running.
    - Files created by named to store information, including "mkeys"
      and "nzf" files, are now named after their corresponding views
      unless the view name contains characters incompatible with use
      as a filename. Old style filenames (based on the hash of the
      view name) will still work.

A detailed list of the changes for each release can be found in
the file CHANGES.  Bug reports can be sent to bind9-bugs at

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-workers mailing list