# Significant Changes in BIND9 package

## BIND 9.16

### New features

- *libuv* is used for network subsystem as a mandatory dependency
- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy
  ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP)))
- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors*
- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format
- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output

### Feature changes

- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together.
- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default
- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default).
  Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed.
- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them

### Features removed

- *dnssec-enable* option is obsolete, DNSSEC support is always enabled
- *dnssec-lookaside* option is deprecated and support for it removed from all tools
- *cleaning-interval* option is removed

### Upstream release notes

- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10)
- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0)

## BIND 9.14

- single thread support removed. Cannot provide *bind-export-libs* for DHCP
- *lwres* support completely removed. Both daemon and library
- common parts of daemon moved into *libns* shared library
- introduced plugin for filtering aaaa responses
- some SDB utilities no longer supported

### Upstream release notes

- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)