The latest BIND 9 releases include several security fixes, performance improvements, and bug squashes that have been causing issues for system administrators. One major fix addresses a "segmentation fault" error in the delv utility caused by a use-after-free error, which has been a problem for months. The new releases also improve how BIND logs dnstap messages and randomize nameserver selection to prevent resolution failures. To upgrade, download the latest tarball from ISC's website, verify its signature with gpg, and follow the installation instructions to ensure your server is up-to-date and secure.

BIND 9 releases patch key DNS bugs – update your server now

The latest BIND 9 releases (9.18.46, 9.20.20, and the experimental 9.21.19) bring a handful of security fixes, performance tweaks, and several long‑standing bug squashes that have been nagging system administrators for months.

Why you should upgrade

A recent incident in a small business network showed that the delv utility could crash after receiving a DNAME response. The root cause was a use‑after‑free error inside dns_client_resolve(). The new patch fixes that exact scenario, eliminating the nasty “segmentation fault” that would otherwise bring the debugging session to an abrupt halt.

Alongside the security fix, the releases improve how BIND logs dnstap messages and randomize nameserver selection. The latter change is particularly useful when a zone’s NS RRset contains multiple addresses; previously the resolver would always pick the same one first, which could lead to resolution failures if that address was temporarily unreachable.

What changed in each release

• 9.18.46 adds several bug fixes and the critical use‑after‑free patch. It also improves TCP source port selection on Linux by enabling IP_LOCAL_PORT_RANGE, speeding up connections when many sockets are open.

• 9.20.20 focuses on stability: it removes an assertion failure triggered by non‑minimal IXFRs, stops a crash that could happen when retrying NOTIFY over TCP, and corrects the handling of DNSSEC validation when a DS record contains both supported and unsupported algorithms.

• 9.21.19 is still in development mode; it contains experimental features such as enhanced fetch loop detection and stricter EDNS client subnet family handling (returning FORMERR for unknown families).

All three releases ship with a full source tarball, cryptographic signature, and detailed release notes that explain the significance of each change.

How to upgrade

1. Grab the appropriate tarball from ISC’s download page:
   9.18.46 – https://downloads.isc.org/isc/bind9/9.18.46/ 
   9.20.20 – https://downloads.isc.org/isc/bind9/9.20.20/ 
   9.21.19 (dev) – https://downloads.isc.org/isc/bind9/9.21.19/ 

2. Verify the signature with gpg to make sure you haven’t downloaded a tampered file.

3. Extract, then run ./configure, followed by make and make install.
   If you’re using a package manager, let ISC update the packages later today; the new binaries will replace the old ones automatically.

4. After installation, reload or restart named to pick up the updated code.

If your environment is heavily customized, run the test suite (make check) before restarting production services. The tests will surface any regressions that might affect your existing configuration.

The bottom line

The new BIND 9 releases fix a handful of hard‑to‑debug crashes, tighten DNSSEC validation logic, and add a few performance tweaks that make the resolver more resilient in real‑world traffic patterns. For anyone running named on a server that handles production traffic, applying these updates is an easy way to shore up security and reliability without changing your existing configuration.