A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]

In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new dnssec-keys statement should now be used for both types of key. When used with the keyword initial-key, dnssec-keys has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011. When used with the new keyword static-key, it has the same behavior as trusted-keys, configuring a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]

The cleaning-interval option has been removed. [GL !1731]

named will now log a warning if a static key is configured for the root zone. [GL #6] JSON-C is now the only supported library for enabling JSON support for BIND statistics. The configure option has been renamed from --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a custom path to the json-c library as the new configure option does not take the library installation path as an optional argument.