Release Notes
Introduction
BIND 9.21 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.22 release, this document will be updated with additional features added and bugs fixed. Please see the Changelog file for a more detailed list of changes and bug fixes.
Supported Platforms
See the Supported Platforms section in the Resource Requirements chapter.
Download
The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.
Known Issues
The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
Notes for BIND 9.21.4
Security Fixes
- DNS-over-HTTPS flooding fixes. (CVE-2024-12705) - Fix DNS-over-HTTPS implementation issues that arise under heavy query load. Optimize resource usage for - namedinstances that accept queries over DNS-over-HTTPS.- Previously, - namedprocessed all incoming HTTP/2 data at once, which could overwhelm the server, especially when dealing with clients that sent requests but did not wait for responses. That has been fixed. Now,- namedhandles HTTP/2 data in smaller chunks and throttles reading until the remote side reads the response data. It also throttles clients that send too many requests at once.- In addition, - namednow evaluates excessive streams opened by clients that include no DNS data, which is considered “flooding.” It logs these clients and drops connections from them. [GL #4795]- In some cases, - namedcould leave DNS-over-HTTPS connections in the CLOSE_WAIT state indefinitely. That has also been fixed. [GL #5083]- ISC would like to thank Jean-François Billaud for his assistance with investigating this issue. 
- Limit additional section processing for large RDATA sets. (CVE-2024-11187) - When answering queries, don’t add data to the additional section if the answer has more than 13 names in the RDATA. This limits the number of lookups into the database(s) during a single client query, reducing the query-processing load. [GL #5034] - ISC would like to thank Toshifumi Sakaguchi for bringing this vulnerability to our attention. 
New Features
- Add Extended DNS Error Code 22 - No Reachable Authority. - When the resolver is trying to query an authoritative server and eventually times out, a SERVFAIL answer is given to the client. Add the Extended DNS Error Code 22 - No Reachable Authority to the response. [GL #2268] 
- Add “Zone has [AAAA/A] records but is not served by IPv[6/4]” warnings. - Check that zones with AAAA records are served by IPv6 servers and that zones with A records are served by IPv4 servers. Sometimes, IPv6 services are accidentally misconfigured and zones with IPv6 (AAAA) address records are not served by DNS servers with IPv6 addresses, which means they need to use translation devices to look up those IPv6 addresses. The reverse is also sometimes true: zones with A records are not resolvable over IPv4 when they should be. To prevent this, BIND now looks for these misconfigured zones and issues a warning if they are found. [GL #4370] 
- Add a new option to configure the maximum number of outgoing queries per client request. - The configuration option - max-query-countsets how many outgoing queries per client request are allowed. The existing- max-recursion-queriesvalue is the number of permissible queries for a single name and is reset on every CNAME redirection. This new option is a global limit on the client request. The default is 200.- The default for - max-recursion-queriesis changed from 32 to 50. This allows- namedto send a few more queries while looking up a single name. [GL #4980] [GL #4921]
- Use the Server Name Indication (SNI) extension for all outgoing TLS connections. - This improves compatibility with other DNS server software. [GL #5099] 
Removed Features
- Remove the - dnssec-must-be-securefeature. [GL #4482]
- Remove - sortlistoption.- The - sortlistoption, which was deprecated in BIND 9.20, has now been removed. [GL #4665]
- Remove support for fixed RRset ordering. - Remove the - fixedvalue from the- rrset-orderoption and the- --enable-fixed-rrsetoption from the- ./configurescript. [GL #4666]
- Remove - trusted-keysand- managed-keysoptions.- These options have been deprecated in 9.19 in favor of the - trust-anchorsoption and are now being removed. [GL #5080]
Feature Changes
- The configuration clauses - parental-agentsand- primariesare renamed to- remote-servers.- The top blocks - primariesand- parental-agentsare no longer preferred and should be renamed to- remote-servers. The zone statements- parental-agentsand- primariesare still used, and may refer to any- remote-serverstop block. [GL #4544]
Bug Fixes
- Querying an NSEC3-signed zone for an empty record could trigger an assertion. - A bug in the qpzone database could trigger a crash when querying for a deleted name, or a newly added empty non-terminal name, in an NSEC3-signed zone. This has been fixed. [GL #5108] 
- Fix - nsupdatehang when processing a large update.- To mitigate DNS flood attacks over a single TCP connection, throttle the connection when the other side does not read the data. Throttling should only occur on server-side sockets, but erroneously also happened for - nsupdate, which acts as a client. When- nsupdatestarted throttling the connection, it never attempted to read again. This has been fixed. [GL #4910]
- Fix possible assertion failure when reloading server while processing update policy rules. [GL #5006] 
- Preserve cache across reconfig when using - attach-cache.- When the - attach-cacheoption is used in the- optionsblock with an arbitrary name, it causes all views to use the same cache. Previously, this configuration caused the cache to be deleted and a new cache to be created every time the server was reconfigured. This has been fixed. [GL #5061]
- Resolve the spurious drops in performance due to glue cache. - For performance reasons, the returned glue records are cached on the first use. The current implementation could randomly cause a performance drop and increased memory use. This has been fixed. [GL #5064] 
- Fix - dnssec-signzonesigning non-DNSKEY RRsets with revoked keys.- dnssec-signzonewas using revoked keys for signing RRsets other than DNSKEY. This has been corrected. [GL #5070]
- Disable deterministic ECDSA for FIPS builds. - FIPS 186-5 allows use of deterministic ECDSA (Section 6.3), which is compatible with RFC 6979, but OpenSSL seems to follow FIPS 186-4 (Section 6.3), which only allows random - kvalues. This causes- kvalue generation to fail for OpenSSL >= 3.2, making BIND unable to generate ECDSA signatures when in FIPS mode.- This signing is now fixed by not using deterministic ECDSA when FIPS mode is active. [GL #5072] 
- Fix improper handling of unknown directives in - resolv.conf.- The line after an unknown directive in - resolv.confcould accidentally be skipped, potentially affecting- dig,- host,- nslookup,- nsupdate, or- delv. This has been fixed. [GL #5084]
- Fix response policy zones and catalog zones with an - $INCLUDEstatement defined.- Response policy zones (RPZ) and catalog zones were not working correctly if they had an - $INCLUDEstatement defined. This has been fixed. [GL #5111]
Notes for BIND 9.21.3
New Features
- Add separate query counters for new protocols. - Add query counters for DoT, DoH, unencrypted DoH and their proxied counterparts. The new protocols do not update their respective TCP/UDP transport counter. The previously existing counters are now dedicated for TCP/UDP over plain port 53 only. [GL #598] 
- Implement RFC 9567: EDNS Report-Channel option. - Add new - send-report-channeland- log-report-channeloptions.- send-report-channelspecifies an agent domain, to which error reports can be sent by querying a specially constructed name within the agent domain. The EDNS Report-Channel option has been added to outgoing authoritative responses, to inform clients where to send such error reports in the event of a problem.- If a - zoneis configured which matches the agent domain and has- log-report-channelset to yes, error-reporting queries will be logged at level info to the dns-reporting-agent logging- channel. [GL #3659]
- Add detailed debugging of - update-policyrule matching.- This logs how - nameddetermines whether an update request is granted or denied when using update-policy. [GL #4751]
- Update built-in - bind.keysfile with the new 2025 IANA root key.- Add an initial-ds entry to - bind.keysfor the new root key, ID 38696, which is scheduled for publication in January 2025. [GL #4896]
- Enable runtime selection of FIPS mode in - digand delv.- dig -Fand- delv -Fcan now be used to select FIPS mode at runtime. [GL #5046]
Removed Features
- Move contributed DLZ modules into a separate repository. DLZ modules should not be used except in testing. - The DLZ modules were not maintained, the DLZ interface itself is going to be scheduled for removal, and the DLZ interface is blocking. Any module that blocks the query to the - databaseblocks the whole server.- The DLZ modules now live in https://gitlab.isc.org/isc-projects/dlz-modules repository. [GL #4865] 
- Remove RBTDB implementation. - Remove the RBTDB - databaseimplementation, and only leave the QPDB-based implementations of- zoneand cache databases. This means it is no longer possible to choose RBTDB as the default database at compilation time, nor to configure RBTDB as the- databasebackend in the configuration file. [GL #5027]
Feature Changes
- dnssec-ksrnow supports KSK rollovers.- The tool now allows for KSK generation, as well as planned KSK rollovers. When signing a bundle from a Key Signing Request (KSR), only the key that is active in that time frame is used for signing. Also, the CDS and CDNSKEY records are now added and removed at the correct time. [GL #4697] [GL #4705] 
- Add none parameter to - query-sourceand- query-source-v6to disable IPv4 or IPv6 upstream queries but allow listening to queries from clients on IPv4 or IPv6.
- Print RFC 7314: EXPIRE option in transfer summary. [GL #5013] 
- Add missing EDNS option mnemonics to - dig.- The Report-Channel and ZONEVERSION options can now be sent using dig +ednsopt=report-channel (or dig +ednsopt=rc for short), and dig +ednsopt=zoneversion. - Several other EDNS option names, including DAU, DHU, N3U, and CHAIN, are now displayed correctly in text and YAML formats. - Also, an inconsistency has been corrected: the TCP-KEEPALIVE option is now spelled with a hyphen in both text and YAML formats; previously, text format used a space. 
- Add new - loggingmodule for crypto errors in libisc.- Add a new crypto log module to be used for low-level cryptographic operations. The DNS-related cryptography logs are still logged in the ‘dns/crypto’ module. 
- Emit more helpful log messages for exceeding - max-records-per-type.- The new log message is emitted when adding or updating an RRset fails due to exceeding the - max-records-per-typelimit. The log includes the owner name and type, corresponding zone name, and the limit value. It will be emitted on loading a zone file, inbound zone transfer (both AXFR and IXFR), handling a DDNS update, or updating a cache DB. It’s especially helpful in the case of zone transfer, since the secondary side doesn’t have direct access to the offending zone data.- It could also be used for - max-types-per-name, but this change doesn’t implement it yet as it’s much less likely to happen in practice.
- Harden key management when key files have become unavailable. - Prior to doing key management, BIND 9 will check if the key files on disk match the expected keys. If key files for previously observed keys have become unavailable, this will prevent the internal key manager from running. 
- Reduce memory footprint by optimizing commonly-used data structures. [GL #5022] 
Bug Fixes
- Use TLS for notifies if configured to do so. - Notifies configured to use TLS will now be sent over TLS, instead of plain text UDP or TCP. Also, failing to load the TLS configuration for - notifynow results in an error. [GL #4821]
- {&dns} is as valid as {?dns} in a SVCB’s dohpath. - digfailed to parse a valid SVCB record with a dohpath URI template containing a {&dns}, like dohpath=/some/path?key=value{&dns}”. [GL #4922]
- Fix NSEC3 closest encloser lookup for names with empty non-terminals. - A previous performance optimization for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return incorrect NSEC3 records in some cases. This has been fixed. [GL #4950] 
- Report client transport in - rndc recursingoutput- When - rndc recursingis used to dump the list of recursing clients, it now indicates whether a query was sent via UDP, TCP, TLS, or HTTP. [GL #4971]
- recursive-clientsstatement with value 0 triggered an assertion failure.- BIND 9.20.0 broke recursive-clients 0;. This has now been fixed. [GL #4987] 
- Parsing of hostnames in - rndc.confwas broken.- When DSCP support was removed, parsing of hostnames in - rndc.confwas accidentally broken, resulting in an assertion failure. This has been fixed. [GL #4991]
- digoptions of the form [+-]option=<value> failed to display the value on the printed command line. This has been fixed. [GL #4993]
- Provide more visibility into TLS configuration errors by logging SSL_CTX_use_certificate_chain_file() and SSL_CTX_use_PrivateKey_file() errors individually. [GL #5008] 
- Fix a race condition when canceling ADB find which could cause an assertion failure. [GL #5024] 
- Fix doubled memory usage during incoming zone transfer. [GL #4986] 
- SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a lot of memory if the server encounters many SERVFAILs at once. [GL #5025] 
- Fix trying the next primary XoT server when the previous one was marked as unreachable. - In some cases - namedfailed to try the next primary server in the- primarieslist when the previous one was marked as unreachable. This has been fixed. [GL #5038]
Notes for BIND 9.21.2
New Features
- Log query response status to the query log. - Log a query response summary using the new - responsescategory. Logging can be controlled via the- responselogoption and via- rndc responselog. [GL #459]
- Added WALLET type. - Add the new record type WALLET (262). This provides a mapping from a domain name to a cryptographic currency wallet. Multiple mappings can exist if multiple records exist. [GL #4947] 
- Support ISO timestamps with timezone information. - The configuration option - print-timecan now be set to- iso8601-tzinfo, to use the ISO 8601 timestamp with timezone information when logging. This is used as a default for- named -g. [GL #4963]
- Add flag to - named-checkconfto ignore “not configured” errors.- named-checkconfnow takes the- named-checkconf -noption to ignore “not configured” errors. This allows- named-checkconfto check the syntax of configurations from other builds that have support for options not present in the- named-checkconfbuild. [GL !9446]
- Implement the ForwardOnlyFail statistics channel counter. - The new ForwardOnlyFail statistics channel counter indicates the number of queries that failed due to bad forwarders for “forward only” zones. Related to [GL #1793]. 
Removed Features
- Remove - portfrom source address options.- Remove the use of - portwhen configuring- query-source,- transfer-source,- notify-source,- parental-source, etc., and their- -v6counterparts. Also, remove the use of source ports for- parental-agents.- Also remove the deprecated options - use-v4-udp-ports,- use-v6-udp-ports,- avoid-v4-udp-ports, and- avoid-v6-udp-ports. [GL #3843]
- Remove DNSRPS implementation from the open source version of BIND 9. - DNSRPS was a reputedly improved API for a commercial implementation of Response Policy Zones; however, it was never open-sourced and has only ever been available from a single vendor. This goes against the principle that the open source edition of BIND 9 should contain only features that are generally available and universal. [GL !9358] 
Feature Changes
- Set logging category for - notify/- xfer-in-related messages.- Some - notifyand- xfer-in-related log messages were logged at the “general” category level instead of their own category. This has been fixed. [GL #2730]
- Allow IXFR-to-AXFR fallback on - DNS_R_TOOMANYRECORDS.- This change allows fallback from an IXFR failure to AXFR when the reason is - DNS_R_TOOMANYRECORDS. [GL #4928]
- Honor the Control Group memory contraints on Linux. - On Linux, the system administrator can use the Control Group ( - cgroup) mechanism to limit the amount of memory available to the process. This limit is now honored when calculating the percentage-based values. [GL !9556]
Bug Fixes
- Fix a statistics channel counter bug when “forward only” zones are used. - When resolving a zone with a “forward only” policy, and finding out that all the forwarders were marked as “bad”, the “ServerQuota” counter of the statistics channel was incorrectly increased. This has been fixed. [GL #1793] 
- Fix a bug in the static-stub implementation. - Static-stub addresses and addresses from other sources were being mixed together, resulting in static-stub queries going to addresses not specified in the configuration, or alternatively, static-stub addresses being used instead of the correct server addresses. [GL #4850] 
- Don’t allow - statistics-channelsif libxml2 and libjson-c are not configured.- When BIND 9 is not configured with the libxml2 and libjson-c libraries, the use of the - statistics-channelsoption is a fatal error. [GL #4895]
- Separate DNSSEC validation from long-running tasks. - Split CPU-intensive and long-running tasks into separate threadpools in a way that the long-running tasks - like RPZ, catalog zone processing, or zone file operations - don’t block CPU-intensive operations like DNSSEC validations. [GL #4898] 
- Fix an assertion failure when processing access control lists. - The - namedprocess could terminate unexpectedly when processing ACLs. This has been fixed. [GL #4908]
- Fix a bug in Offline KSK using a ZSK with an unlimited lifetime. - If the ZSK had an unlimited lifetime, the timing metadata - Inactiveand- Deletecould not be found and were treated as an error, preventing the zone from being signed. This has been fixed. [GL #4914]
- Limit the outgoing UDP send queue size. - If the operating system UDP queue got full and the outgoing UDP sending started to be delayed, BIND 9 could exhibit memory spikes as it tried to enqueue all the outgoing UDP messages. It now tries to deliver the outgoing UDP messages synchronously; if that fails, it drops the outgoing DNS message that would get queued up and then timeout on the client side. [GL #4930] 
- Do not set - SO_INCOMING_CPU.- Remove the - SO_INCOMING_CPUsetting as kernel scheduling performs better without constraints. [GL #4936]
- Fix the - rndc dumpdbcommand’s error reporting.- The - rndc dumpdbcommand was not reporting errors that occurred when- namedstarted up the database dump process. This has been fixed. [GL #4944]
- Fix long-running incoming transfers. - Incoming transfers that took longer than 30 seconds would stop reading from the TCP stream and the incoming transfer would be indefinitely stuck, causing BIND 9 to hang during shutdown. - This has been fixed, and the - max-transfer-time-inand- max-transfer-idle-intimeouts are now honored. [GL #4949]
- Fix an assertion failure when receiving DNS responses over TCP. - When matching the received Query ID in the TCP connection, an invalid Query ID could cause an assertion failure. This has been fixed. [GL #4952] 
Known Issues
- There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch. 
Notes for BIND 9.21.1
New Features
- Support for Offline KSK implemented. - Add a new configuration option - offline-kskto enable Offline KSK key management. Signed Key Response (SKR) files created with- dnssec-ksr(or other programs) can now be imported into- namedwith the new- rndc skr -importcommand. Rather than creating new DNSKEY, CDS, and CDNSKEY records and generating signatures covering these types, these records are loaded from the currently active bundle from the imported SKR.- The implementation is loosely based on draft-icann-dnssec-keymgmt-01.txt. [GL #1128] 
- Allow limiting the number of differences in IXFR. - A new - request-ixfr-max-diffsconfiguration option can set the maximum number of incoming incremental zone transfer (IXFR) differences. Exceeding it triggers a full zone transfer (AXFR). [GL #4389]
- Print the full path of the working directory in startup log messages. - namednow prints its initial working directory during startup, and the changed working directory when loading or reloading its configuration file, if it has a valid- directoryoption defined. [GL #4731]
- Support a restricted key tag range when generating new keys. - When multiple signers are being used to sign a zone, it is useful to be able to specify a restricted range of key tags to be used by an operator to sign the zone. The range can be specified with - tag-rangein- dnssec-policy’s keys (for- namedand- dnssec-ksr) and with the new options- dnssec-keyfromlabel -Mand- dnssec-keygen -M. [GL #4830]
Removed Features
- Remove the - dialupand- heartbeat-intervaloptions.- The - dialupand- heartbeat-intervaloptions have been removed, along with all code implementing them. Using these options is now a fatal error. [GL #4237]
Feature Changes
- Use deterministic ECDSA for OpenSSL >= 3.2. - OpenSSL has added support for deterministic ECDSA (RFC 6979) with version 3.2. - It is used by default, as it removes arguably its most fragile side of ECDSA. The derandomization does not pose a risk for DNS usecases and is allowed by FIPS 186-5. [GL #299] 
- Exempt prefetches from the - fetches-per-zoneand- fetches-per-serverquotas.- Fetches generated automatically as a result of - prefetchare now exempt from the- fetches-per-zoneand- fetches-per-serverquotas. This should help in maintaining the cache from which query responses can be given. [GL #4219]
- Improve performance for queries that require an NSEC3 wildcard proof. - Rather than starting from the longest matching part of the requested name, lookup the shortest partial match. Most of the time this will be the actual closest encloser. [GL #4460] 
- Follow the number of CPUs set by - taskset/- cpuset.- Administrators may wish to constrain the set of cores that - namedruns on via the- taskset,- cpuset, or- numactlprograms (or equivalents on other OSes).- If the admin has used - taskset,- namednow automatically uses the given number of CPUs rather than the system-wide count. [GL #4884]
Bug Fixes
- Delay the release of root privileges until after configuring controls. - Delay relinquishing root privileges until the control channel has been configured, for the benefit of systems that require root to use privileged port numbers. This mostly affects systems without fine- grained privilege systems (i.e., other than Linux). [GL #4793] 
- Fix a rare assertion failure when shutting down incoming transfer. - A very rare assertion failure could be triggered when the incoming transfer was either forcefully shut down, or it finished during the printing of the details about the statistics channel. This has been fixed. [GL #4860] 
- Fix algorithm rollover bug when there are two keys with the same keytag. - If there was an algorithm rollover and two keys of different algorithms shared the same keytags, there was the possibility that the check of whether the key matched a specific state could be performed against the wrong key. This has been fixed by not only checking for the matching key tag but also the key algorithm. [GL #4878] 
- Fix an assertion failure in - validate_dnskey_dsset_done().- Under rare circumstances, - namedcould terminate unexpectedly when validating a DNSKEY resource record if the validation had been canceled in the meantime. This has been fixed. [GL #4911]
Known Issues
- Long-running tasks in offloaded threads (e.g. loading RPZ zones or processing zone transfers) may block the resolution of queries during these operations and cause the queries to time out. - To work around the issue, the - UV_THREADPOOL_SIZEenvironment variable can be set to a larger value before starting- named. The recommended value is the number of RPZ zones (or number of transfers) plus the number of threads BIND should use, which is typically the number of CPUs. [GL #4898]
Notes for BIND 9.21.0
New Features
- Implement - rndc retransfer -force.- A new optional argument - -forcehas been added to the command- rndc retransfer. When it is specified,- namedaborts the ongoing zone transfer (if there is one) and starts a new transfer. [GL #2299] [GL !9102]
- Add support for external log rotation tools. - Add two mechanisms to close open log files. The first is - rndc closelogs. The second is- kill -USR1 <pid>. They are intended to be used with external log rotation tools. [GL #4780] [GL !9113]
- dignow reports a missing QUESTION section for messages with opcode QUERY.- Query responses should contain the QUESTION section, with some exceptions. - digwas not reporting this. [GL #4808] [GL !9233]
Removed Features
- Remove OpenSSL 1.x engine support. - OpenSSL 1.x engine support has been deprecated in OpenSSL 3.x and is going to be removed from the OpenSSL code base. Remove OpenSSL engine support from BIND 9 in favor of OpenSSL 3.x providers. [GL #4828] [GL !9252] 
Feature Changes
- Require at least OpenSSL 1.1.1. - OpenSSL 1.1.1 or newer (or an equivalent LibreSSL version) is now required to compile BIND 9. [GL #2806] [GL !9110] 
- Tighten - max-recursion-queriesand add- max-query-restartsconfiguration statement.- There were cases when the - max-recursion-queriesquota was ineffective. It was possible to craft zones that would cause a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting errors in the implementation of- max-recursion-queriesand by reducing the default value from 100 to 32.- In addition, a new - max-query-restartsconfiguration statement has been added, which limits the number of times a recursive server will follow CNAME or DNAME records before terminating resolution. This was previously a hard-coded limit of 16 but is now configurable with a default value of 11.- ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue. [GL #4741] [GL !9281] 
- Allow shorter - resolver-query-timeoutconfiguration.- The minimum allowed value of - resolver-query-timeoutwas lowered from its previous value of 10 000 milliseconds (which is still the default) to 301 milliseconds. Note however that values of 1 to 300 inclusive are interpreted as seconds before applying the limit. A value of zero is interpreted as the default. [GL #4320] [GL !9091]
- Raise the log level of priming failures. - When a priming query is complete, it was previously logged at level - DEBUG(1), regardless of success or failure. It is now logged to- NOTICEin the case of failure. [GL #3516] [GL !9121]
Bug Fixes
- Fix a crash caused by valid TSIG signatures with invalid time. - An assertion failure was triggered when the TSIG had a valid cryptographic signature but the time was invalid. This could happen when the times between the primary and secondary servers were not synchronised. The crash has now been fixed. [GL #4811] [GL !9234] 
- Return SERVFAIL for a too long CNAME chain. - When following long CNAME chains, - namedwas returning NOERROR (along with a partial answer) instead of SERVFAIL, if the chain exceeded the maximum length. This has been fixed. [GL #4449] [GL !9090]
- Reconfigure catz member zones during - namedreconfiguration.- During a reconfiguration, - namedwasn’t reconfiguring catalog zones’ member zones. This has been fixed. [GL #4733]
- Update key lifetime and metadata after - dnssec-policyreconfiguration.- Adjust key state and timing metadata if - dnssec-policykey lifetime configuration is updated, so that it also affects existing keys. [GL #4677] [GL !9118]
- Fix a crash during zone modification. - Fix an assertion failure that could happen when an authoritative zone was modified while the server was generating an answer from that zone. [GL #4691] [GL !9126] 
- Fix assertion failure when executing - named-checkconf -vto print its version. [GL #4827] [GL !9243]
- Fix generation of 6to4-self name expansion from IPv4 address. - The period between the most significant nibble of the encoded IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the wrong name being checked. This has been fixed. [GL #4766] [GL !9099] 
- dig +yamlwas producing unexpected and/or invalid YAML. output. [GL #4796] [GL !9127]
- SVBC ALPN text parsing failed to reject zero-length ALPN. [GL #4775] [GL !9106] 
- Fix false QNAME minimisation error being reported. - Remove the false positive - success resolvinglog message when QNAME minimisation is in effect and the final result is an NXDOMAIN. [GL #4784] [GL !9117]
- Fix - --enable-tracingbuild on systems without dtrace.- A missing - util/dtrace.shfile prevented builds on systems without the- dtraceutility. This has been corrected. [GL #4835] [GL !9262]
Known Issues
- There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch. 
License
BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the COPYING file for the full text).
Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.
End of Life
BIND 9.21 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.22, which will be a stable branch. The end-of-life date for BIND 9.22 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.18, which will be supported until at least December 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.