BIND 9.12 almost ready

BIND 9.12 development is getting closer to completion!

Barring surprises, BIND 9.12.0b2, now available for download, should be the last development beta before the release candidate. If you want  to give it a try in time to provide us feedback before
our RC code freeze you can find the beta at:

New Feature Branch

We don’t introduce new features or make major changes to minor releases within a BIND branch. New branches are when we make significant changes to BIND.  BIND 9.12.0 will be the first release in the 9.12 series and in the release notes you can find information about the new features, improvements, and fixes that are included in 9.12. Key new features include:

  • NSEC Aggressive Use – this feature, sponsored by APNIC, will reduce query loads on authoritative servers for signed domains: when existing cached records can be used by the resolver to determine that a name does not exist in the authorittive domain, no query needs to be sent. Reducing the number of iterative queries should also improve resolver performance.
  • Serve Stale – When acting as a recursive resolver, named can now continue returning answers whose TTLs have expired when the authoritative server is under attack and unable to respond. Code for this feature was contributed by Akamai.
  • The DNS Response Policy Service (DNSRPS) API, is a mechanism to allow named to use an external response policy provider.  This allows the same types of policy filtering as standard RPZ, but can reduce the workload for named, particularly when using large and frequently-updated policy zones. It also enables named to share response policy providers with other DNS implementations such as Unbound. Thanks to Vernon Schryver and Farsight Security for the contribution.

Mind the Gap

You should also review the “Features Removed” section as well. Some of these changes could break existing scripts that rely on them. We do make every effort to support backwards compatibility, and we only make this kind of change in a major release. For example, going forward HMAC-MD5 will not be recommended for RNDC keys. For backwards compatibility HMAC-MD5 can still be used, but the default algorithm used by rndc-confgen is now HMAC-SHA256.

The release notes can be found at:

Feedback is Critical

User input on development releases is an important part of improving our software and we especially appreciate help from those who are willing to test development releases and provide constructive feedback.  Thank you especially to those who have provided input during the alpha release period and also to those who will help evaluate the new beta release. Please send feedback to

Thank you!


Last modified: November 9, 2017 at 6:13 am