How to handle the BIND 9 February 2026 maintenance releases (9.18.45, 9.20.19, 9.21.18)
The February 2026 BIND 9 updates are finally on ISC’s download server and they bring a mix of required Python upgrades, a few long‑standing bugs finally squashed, and one experimental tweak that actually matters for today’s DNS‑based attacks. This guide spells out what each stable branch adds, which version is worth the hassle, and how to upgrade without pulling the rug out from under your resolver.
What the stable branches actually changed
The 9.18.45 line is essentially a housekeeping release. Its only new requirement is Python 3.10 or newer for the internal test suite – a detail most production servers never see unless you run “make check”. The real meat lies in three bug fixes: the BRID and HHIT record types finally behave according to their specifications, and the DSYNC type now parses correctly. If you’ve been running 9.18.x without those records showing up, you probably won’t notice anything until a client actually asks for them.
The 9.20.19 branch is where things get interesting. Besides mirroring the Python requirement, it fixes an inbound IXFR performance regression that made large zone transfers crawl to a halt compared with 9.18. Administrators at a regional ISP reported transfer times doubling after they upgraded to an early 9.20 build; the patch in 9.20.19 restores the expected speed by adding specialized logic for big IXFR streams. The release also makes catalog zone names and member entry names case‑insensitive – a tiny change that saves you from mysterious “zone not found” errors when someone drops a mixed‑case name into a config file. Finally, RPZ and catalog zones now tolerate $INCLUDE directives again, which had been broken for months in the 9.20 series.
The experimental 9.21.18 branch flips the default for ANY queries to “minimal‑any”. In practice that means a resolver will answer an ANY request with only the essential records instead of spewing the whole zone. Attackers love ANY queries for amplification, so this change cuts down the potential traffic burst by roughly half without breaking legitimate tooling. The release also forces NSEC Next Domain names to lowercase – a move that smooths over inconsistencies in older DNSSEC implementations, even though the RFC doesn’t require it.
Should you upgrade right now?
If your environment still runs a 9.16 or older branch, jumping straight to 9.20.19 makes sense; the IXFR fix alone can shave minutes off daily zone pulls for large providers. For most small‑to‑medium networks that never use BRID, HHIT, or DSYNC, staying on 9.18.45 is perfectly fine – it’s a safe, low‑risk bump that only adds the newer Python requirement for testing.
The 9.21.18 build is tempting because of the minimal‑any default, but remember it’s still labeled experimental. Production environments that have hardened their ANY handling already may not need the change, and the extra code path could surface edge‑case bugs in obscure DNSSEC setups. If you run a public resolver that fields a lot of unsolicited ANY traffic, testing 9.21.18 in a staging lab is worth the effort; otherwise stick with the proven 9.20.19.
How to upgrade without breaking your DNS
First, pull the appropriate tarball from ISC’s download directory and verify its GPG signature – the release notes link each file to a .sig that you can check against the public key on isc.org. Unpack the source, then run “./configure” with the same options you used for the current build; this guarantees feature parity and avoids surprising defaults.
Because the test suite now insists on Python 3.10+, make sure the interpreter on your build host meets that version. The required pip packages are listed in bin/tests/system/requirements.txt, so a quick “pip install -r …” will pull everything you need without guessing versions. Skipping this step won’t stop BIND from running, but it will render “make check” useless and you’ll lose the safety net that catches configuration regressions.
Next, compile with “make && make install”. If you manage multiple zones via catalog files, double‑check that any $INCLUDE statements are still valid after the upgrade – the 9.20/9.21 patches fixed a bug that previously caused reload failures when those directives were present. A quick “named-checkconf -z” will surface syntax errors before you restart the daemon.
Finally, roll the new binary into production during a maintenance window and watch the logs for any “zone load failed” messages. If you see anything about case‑sensitivity, remember that catalog zone names are now compared without regard to case, so you may need to clean up stray capital letters in your config files.
A quick sanity check after the upgrade
After the daemon is back up, query a known zone with “dig @127.0.0.1 example.com ANY”. In a 9.21.18 test you should see only the SOA and NS records unless you explicitly request additional types; that’s the minimal‑any behavior in action. Run an IXFR pull from a secondary to confirm the transfer speed is back to normal – a noticeable improvement over the lag introduced by earlier 9.20 builds.
If everything looks tidy, schedule a regular backup of your named.conf and zone files. The next BIND release will almost certainly add another Python requirement or tweak a record type, and you’ll thank yourself for having a clean rollback point.
That’s it – pick the branch that matches your risk appetite, follow the steps above, and let the DNS keep humming without any surprise outages.
