The major changes in BIND 9.13 are related to code modernization.
We have removed a number of workarounds and custom ‘fix-ups’ for broken, non-compliant and obsolete operating systems. Some of these workarounds add significant complexity, due to the need to to watch for and handle exceptions. Most of these workarounds are virtually untestable, which means that over time they become liabilities with no utility for most users.
Operating Systems and Library Support
Going forward, to compile and run BIND successfully, you will need:
- a C99-compatible compiler with atomic operations support (C11 stdatomic, or __atomic, or __sync builtins with GCC or Clang compilers, and Interlocked functions with MSVC)
- a cryptography library (either OpenSSL, LibreSSL or an HSM with a PKCS#11 interface for public-key cryptography)
- a POSIX-compliant system with support for threads.
- support for IPv6 in the operating system, even if you aren’t using IPv6 currently. (We had extra checks to determine whether IPv6 was available in the system that we have removed. We need to protect against the case where BIND features are enabled that require IPv6 and the operating system doesn’t support it.)
- We now spread the initial RRSIG expiration times more evenly over the entire working sig-validity-interval when signing a zone in named to smooth out re-signing and transfer loads. This will help signature maintenance for very large signed zones.
- We have added a new “validate-except” option which specifies a list of domains beneath which DNSSEC validation should not be performed. This is effectively a long-term Negative Trust Anchor (NTA).