Prepare for more frequent BIND security updates

Plan for more frequent BIND security updates, at least for the remainder of 2026.

Large language models (LLMs) are making it much easier to find software vulnerabilities in open source, lowering the bar for researchers and bad actors alike, and causing a temporary flood of vulnerability reports to us, and to many open source projects. We are currently triaging vulnerability reports, both from external reporters and our own LLM analysis, at a rate that exceeds 10X the historic levels.

To manage the avalanche of reports, we are making a few changes to the BIND release process and vulnerability handling. We plan to re-evaluate these changes at the end of 2026.

• We are deferring the release of the next stable branch, BIND 9.22, until at least the end of 2026.
• We will end maintenance for 9.18 and 9.18-S as previously scheduled, at the end of June 2026. I have updated the ‘roadmap’ document in our knowledgebase to reflect this change.

Users who are currently running 9.18 or 9.18-S should make plans to update to 9.20 as soon as possible, because we will be focusing our efforts on fixing vulnerabilities in the 9.20 and 9.21 branches.

BIND users should plan for frequent security updates for the rest of the year. Although we have had an informal practice of limiting ourselves to a single security release per quarter, to relieve the pressure on operators to update frequently, the situation now demands some changes.

• For the foreseeable future, users should expect security fixes in every monthly BIND maintenance release.
• We will not be able to invest extra effort to determine exactly which minor release introduced an issue; users should update to the latest maintenance version on their branch.
• We are now releasing reproduction tests at the time of vulnerability publication, because these are mostly already discoverable via LLM.

We may also begin issuing CVEs for more medium-severity issues, such as those that score in the CVSS 5 - 7 range. Our policy is to issue Early Vulnerability Notices (EVNs) only for CVSS scores of 7 or higher, which is not changing. We may not always backport fixes for medium-severity CVEs, depending on the specific case. We welcome feedback on whether issuing CVEs for lower-severity problems would conflict with any of your internal policies.

These things, however, will not change:

• We will continue to aggressively pursue and fix reported vulnerabilities in BIND 9. We develop these fixes in a private repository and merge them into the public repository right before release, to protect our users from early disclosure.
• We will continue to assign CVE numbers for all issues that score over 7.0 on the CVSS scale.
• We will continue to maintain BIND 9.20 and 9.20-S, and to develop 9.21. We have not paused new feature development, although we are prioritizing addressing the vulnerabilities.

We plan to reevaluate this situation in Q4 2026, and we hope that we will be able to return to our normal release cadence in Q1 2027.

We appreciate your understanding and flexibility as we work to keep BIND safe and reliable for our users.