Today the e-mail faerie brought news of the release of BIND9 9.10.0 which can be downloaded from here. BIND9 is the most popular name server on the Internet and has been ever since taking that title away from BIND8 which had a few years earlier taken it from BIND4. I used to work on BIND, and I founded ISC, the home of BIND, and even though I left ISC in July 2013 to launch a commercial security startup company, I remain a fan of both ISC and BIND. I'm here to tell you, BIND9 9.10 is the most featureful single release of any open source DNS software package ever . Let's look at some of the highlights:

DNS Response Rate Limiting (RRL), created by Vernon Schryver and Paul Vixie, is now part of the base server. It's not enabled by default, though I have hopes for that in time to come. But since it's in the name server, and turning it on is very simple, we can expect to see more authoritative name servers opt out of their long held DDoS reflecting amplifier role in months and years to come.

Zone files can be stored in "map" format, which means the preparation of a large zone can take place offline, and the actual moment of publication where the new zone data is made available via a running server, is instantaneous. Kudos to the NSD Team for being first into the field with this fantastic idea. And kudos to the BIND team for not being too proud to copy a good idea when they see one.

DNS Response Policy Zones (RPZ), another advanced security feature brought to you by the creative team of Vernon Schryver and Paul Vixie has been upgraded to moot the old performance problem whereby a name server that subscribed to multiple RPZ feeds would slow down as more RPZ feeds were added. Also, DNS RPZ Format 3 is now supported, which makes it possible to preserve the original QNAME when a wildcard rule is used — helpful when building walled gardens. It is also now possible to use the client's IP address as an RPZ rule trigger, in case you find a bad actor who deserves the mushroom treatment (keep them in the dark and feed them manure).

(Side note: My day job (Farsight Security) offers an RPZ feed we call Newly Observed Domains (NOD) which allows a recursive DNS server operator to pretend that extremely young domain names just don't exist yet. It turns out that many online criminals create, abuse, and destroy their DNS names within a span of minutes or hours.)

There are a bazillion other smaller features and new utilities that I'll skip here for the sake of the high points. I want to say to my old team: BIND9 9.10.0 is the best thing ever , and: thanks for keeping the faith .

Excelsior!