2025 BIND Update

2025 Summary

BIND 9 remains a very functional, reliable, and well-supported option for a self-hosted DNS system. A lot of sustained hard work goes into this open source project. I have attempted to summarize the major accomplishments of the team in 2025.

2025 was another busy year for the BIND 9 development team. There were no changes in personnel. The development team consists of:

• Mark Andrews, the original DNS protocol policeman,
• Artem Boldariev, who has been working on encrypted transports support, DOH and DOT
• Evan Hunt, a long-time maintainer and great explainer,
• Matthijs Mekking, our DNSSEC specialist,
• Aydin Mercan, who has a special interest in cryptography,
• Alessio Podda, who is doing performance engineering,
• Aram Sargsayan, who has recently been updating our catalog zones support,
• Colin Vidal, who is focused on improving configuration and management, and
• The DNS Development Director and team lead, Ondřej Surý, who is one of our most prolific developers.

The QA team, led by Michał Kępień, uses automation everywhere possible. Michał’s team includes:

• Štěpán Balážik who has been updating or re-implementing system tests,
• Andoni Duarte who has been tinkering with our continuous integration system and doing releases,
• Petr Špaček, who specializes in performance testing and protocol development,
• Michal Nowak, who quietly fixes many broken things, and
• Nicki Křížek, original author of the dns-shotgun tool, and part of our release team.

Development Focus - Modernization and Performance

The 9.20 stable branch debuted a huge change, replacing the venerable Red-Black-Tree database (RBTDB) with a QP-trie database by default. Because of the risk associated with such a major change, the RBTDB was retained in 9.20 as a fallback option, accessible by explicit configuration or a compile time flag. During this past year, we have not seen any significant issues related to this change, so the RBTDB will be removed entirely in the 2026 stable version, 9.22. We promoted BIND 9.20 to ESV (Extended Support Version) status, as it has been a very solid branch.

We are continually trying to improve BIND performance, and 2025 included several more of these efforts. We improved on our existing least-recently-used cache-expiration mechanism by implementing a SIEVE-LRU based mechanism that triggers when the cache is close to the max-cache-size limit. This improved recursive server performance. (We will be posting some updated recursive performance tests in early 2026.) A recent blog post provides the results of comparative performance testing of BIND 9.18 vs 9.20 in authoritative applications. We found overall authoritative performance improved 4 - 7% for most profiles. We also found a 28% increase in memory usage for profiles with many zones, although this has been remediated in the 9.21 development branch, which will be reflected in 9.22 once that is released.

Another big change to the project in 2025 was the adoption of the Meson build system, replacing the old autotools. This required adjustments to our automated CI systems, but it has resulted in faster build times and better developer ergonomics.

Although the team is mostly focused on refactoring and maintenance, we did add a surprising amount of new functionality in 2025.

Significant Features Added

• A new named-checkconf -e option prints the effective server configuration, including all the default settings, that would result from loading the specified configuration file into named. This has been a frequently-requested feature for at least 6 years, and required other changes, such as the creation of a separate root-trust anchors config option (instead of bind-keys).

• A new plugin automatically synthesizes reverse PTR responses from IP addresses. It also works in “forward” mode: builds synthesizing A/AAAA records. An allow-synth address-match list can be used to limit the network addresses for which the plugin may generate responses.

• To simplify the configuration of multiple similar zones, BIND now supports a zone template mechanism. template blocks containing zone options can be defined at the top level of the configuration file; they can then be referenced in zone statements. A zone referencing a template will use the options in the specified template block as defaults.

• We have continued our campaign to improve zone updates. We fixed a bothersome issue, where BIND could begin responding to queries before all the protective RPZ zones had loaded, potentially exposing users to malicious zones. We added a notify-defer option (delayed batching of NOTIFY messages) for catalog zones, specifically. We added the ability to detect and restart stalled zone transfers. We implemented the ZONEVERSION draft, and added new record types for HHIT and BRID.

• After implementing our Key and Signing Policy (KASP), we have made numerous further operational improvements to BIND’s DNSSEC support. We added a new option manual-mode to :any:dnssec-policy. When enabled, it will not automatically move to the next state transition, but instead the transition is logged. Only after manual confirmation with rndc dnssec -step, is the transition made. Also known as the ‘dry run’, this feature will help lower risk during migration to the new dnssec-policy system.

• In addition to the manual-mode option in dnssec-policy, a new option to named-checkconf can check if your current key-directory (DNSSEC key configuration) is in sync with the given dnssec-policy.

• We added the new DSYNC record, a generalized use of the familiar notify function that is intended to help with Parent-child communications to help maintain up to date delegations, including DNSSEC information. We added deprecation warnings for weak DNSSEC algorithms (see deprecated list.)

Many of these new features, as well as others, were also back-ported to the 9.18 old-stable version.

Deprecated or Removed Features

We remove features for various reasons; to simplify the code, because the feature has become a vector for a CVE, or when the industry has decided that a feature, or encryption algorithm, is insecure or otherwise a bad idea. We do try to advertise our plans ahead of time on the bind-users mailing list, unless the deprecation is necessary due to a CVE or change in the Internet Standards. This is a partial list of the features and options we deprecated in 2025:

• Theauto-dnssec configuration statement was completely removed (use dnssec-policy instead).
• Obsoleted DNSSEC statements include; dnskey-sig-validity, dnssec-dnskey-kskonly, dnssec-update-mode, sig-validity-interval, update-check-ksk and dnssec-secure-to-insecure.
• The trusted-keys and managed-keys options were removed (use trust-anchors).
• TKEY Mode 2 (Diffie-Hellman) support was removed: tkey-domain statement obsoleted, tkey-gssapi-credential deprecated (use tkey-gssapi-keytab)
• RSASHA1 and RSASHA1-NSEC3SHA1 algorithms, and DS digest type 1 (SHA1) were deprecated with warnings.
• The glue-cache option was removed (it is now now permanently enabled).
• Theresolver-nonbackoff-tries and resolver-retry-interval statements were removed.
• The DSCP (Differentiated Services Code Point) feature was removed (after we removed it, of course we heard from a user who relied on this).
• The keep-response-order option was removed. Fixed RRset ordering was removed because it could be abused.
• The sortlist option was removed.
• The delegation-only zone type and related statements were removed.
• Source port specification in various -source statements were deprecated or removed.
• DNSRPS (DNS Response Policy Service) was removed. We added this for Farsight Security, which no longer exists, and to our knowledge, nobody ever used it. This was a reportedly improved, but proprietary, implementation of RPZ.

We patched, and published eight new BIND 9 vulnerability notices in 2025.

• CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling
• CVE-2025-40780: Cache poisoning due to weak PRNG
• CVE-2025-40778: Cache poisoning attacks with unsolicited RRs
• CVE-2025-40777: A possible assertion failure when using the ‘stale-answer-client-timeout 0’ option
• CVE-2025-40776: Birthday Attack against Resolvers supporting ECS
• CVE-2025-40775: DNS message with invalid TSIG causes an assertion failure
• CVE-2024-12705: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
• CVE-2024-11187: Many records in the additional section cause CPU exhaustion

BIND QA Efforts

The QA team has been focused on automating the processes for preparing releases and evaluating performance results. They also continue to spend a significant amount of time assessing and attempting to reproduce incoming reports of potential security issues. Last but not least, they’ve been busy cleaning up the BIND 9 system test suite, rewriting shell-based tests to Python and preparing reusable building blocks for new tests, so that the latter are quick to write, reliable, and maintainable in the long term.

The team tested, prepared and packaged 34 open source releases, plus another 18 releases of the BIND -S edition in 2025.

DNS Community Support

ISC also contributes to the wider DNS and Internet community. We collaborate with other DNS developers and operators via the IETF and DNS OARC, and participate actively in the DNS-OARC industry Mattermost chat system.

• Ondřej Surý is a co-chair of the IETF DNS Ops working group and presented four talks at RIPE Meetings in 2025. Ondřej is also currently a RIPE Fellow Coach and one of the RIPE Arbiters.

• Ray Bellis, our Director of Operations is Treasurer and a member of the DNS-OARC Board of Directors, and Cathy Almond is Chair of the Programme Committee.

• Petr Špaček is a frequent contributor to DNS-OARC, and a co-author and instigator of the radical new DELEG proposal in the IETF. Colin Vidal and Petr Špaček are participating in a small group effort to specify an open, Common DNS API.

• Matthijs Mekking is organizing a BCP working group within the DNS-OARC community.

• Jeff Osborn, ISC’s President is the chair of the ICANN Root Server System Advisory Committee (RSSAC), which is the formal body that advises the ICANN Community and Board of Directors on issues surrounding the DNS Root Server System. It is made up of a representative and an alternate from each of the Root Server Operators; Rob Carolina, ISC’s General Counsel, is Jeff’s alternate from ISC. Jeff and Rob, along with Ray Bellis, Dan Mahoney, and Eddy Winstead, are members of the RSSAC Caucus.

Our team has made 2025 contributions to various non-ISC open source projects, including:

Michał Kępień:

• https://github.com/rr-debugger/rr/pull/3908
• https://github.com/rr-debugger/rr/pull/4031
• https://github.com/libgit2/pygit2/pull/1352

Nicki Křížek:

• made a couple of contributions to https://github.com/CZ-NIC/respdiff
• as well as contributions to https://github.com/CZ-NIC/shotgun

Petr Špaček also contributed to https://github.com/CZ-NIC/respdiff

Ondřej Surý: submitted a pull request to https://github.com/openssl/openssl/pull/28781

Throughout the year, both the development team and our team of support engineers help users of our professional support services, as well as open source users. The bind-users mailing list is still going strong and is an active and helpful resource for BIND users.

ISC Staff gave 14 public presentations on BIND or DNS in 2025.

• Streamlining the release process from the git - Ondřej Surý
• DNS Best Current Practices - Matthijs Mekking
• What does DELEG mean for DNSSEC? - Petr Špaček
• PQC for DNSSEC - Ondřej Surý
• What’s new in BIND 9.20 and what’s coming up next? - Colin Vidal
• SIEVE - An Eviction Algorithm Simpler than LRU for Web Caches - Ondřej Surý
• BIND 9 Faster - Ondřej Surý
• DNSSEC Post-Quantum Crypto Algorithms in BIND - Ondřej Surý
• US EO Calls for Encrypting DNS - Vicky Risk
• Devil’s Advocacy for DoH - Aydin Mercan
• Realistic Benchmarking of DNS Resolver Cache Policies - Štěpán Balážik]
• Thinking about Serve Stale - Cathy Almond
• How to Make BIND 9 Fast(er) - Ondřej Surý
• Měření výkonu přenosu DNS zón (Measuring the Performance of DNS Zone Transfers) - Petr Špaček

The team (mostly our support team) added or significantly updated these knowledgebase articles in 2025:

• Operational Notice: The Impact of Stricter Glue Checking
• Changes to be aware of when moving from BIND 9.18 to 9.20
• BIND Statement Fetches Per Zone
• BIND Block Options
• BIND Block Topmost
• Collecting client queries for DNS server testing

Recognition

Being an open source developer can require a thick skin, because everyone is a critic, but very few are willing to help. However, we do have a few users who have been a BIG help to the project in 2025. We would like to recognize:

• The engineer at a Nordic ISP who gives us a PCAP capture every quarter, to feed our resolver test bed with realistic queries. This is data we have otherwise no direct access to, and it is crucial to our testing process.
• The researchers at several universities who have been remarkably successful in probing for potential vulnerabilities in BIND, and in the DNS in general. They are an evergreen resource for BIND CVEs.
• Bob Halley, author of DNS Python, which our QA team uses.
• The European Commission, who selected BIND 9 as one of the open source projects they funded for a bug bounty, administered by YesWeHack.
• The maintainers of Libuv and OpenSSL, who have accommodated our issue reports and pull requests.
• DNS-OARC, and the community collaborating on the DNS-OARC chat platform, particularly for coordinated response to protocol-level vulnerability reports, as well as for help tracking down and fixing interoperability issues in the world-wide DNS system.
• Our colleagues in the industry who have worked with us on the DELEG proposal in the IETF. This could make the worldwide DNS system more sustainable and operable in the future.
• Everyone who has taken the time to submit a complete, reproducible bug report or issue in our BIND 9 GitLab repository, and who has tested our fixes in their environment.