BIND 9.2 shipped this month with several useful additions. I have used the upgrade as an opportunity to do a small audit refresh of my DNS infrastructure.
What is in 9.2
Three main additions:
Better DNSSEC support. The cryptographic signing of DNS records is more usable in 9.2 than in earlier versions. The deployment is still rare but the tooling has improved.
Improved logging structure. The categories are more granular; the formatting is more consistent. My structured-log analysis has been simplified.
Performance improvements for very high load. Modest but measurable. My modest workload does not benefit much; larger resolvers will.
The audit refresh
With the upgrade as a forcing function, I refreshed my DNS audit. Specifically:
- Confirmed the configuration is current (no stale view definitions, no stale forwarders).
- Verified the access controls (only my LAN can recurse; only specific IPs can do zone transfers).
- Reviewed the logging (catching the right events; not too verbose).
- Tested resilience (taking the primary down and confirming the secondary serves correctly).
Nothing was substantially wrong. A few small clean-ups: an old forwarder for a network that no longer exists; a logging directive that was producing redundant output; a permission setting on the zone files that was slightly more permissive than necessary.
None of these would have produced an incident in isolation. Cumulatively, they were the kind of drift that audit refreshes catch.
A small reflection
DNS infrastructure is the kind of thing that runs reliably for years and then fails in unusual ways. The audit refresh — even when nothing dramatic is wrong — produces small improvements that compound.
For anyone running DNS: an annual audit is, in my view, the right cadence. The cost is modest; the benefit is the reduction in drift.
More as the year develops.