Statistics channel groups are now toggleable. [GL #1030]

DNSSEC Lookaside Validation (DLV) is now obsolete. The dnssec-lookaside option has been marked as deprecated; when used in named.conf, it will generate a warning but will otherwise be ignored. All code enabling the use of lookaside validation has been removed from the validator, delv, and the DNSSEC tools. [GL #7]

A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and made default. Old non-default HMAC-SHA based DNS Cookie algorithms have been removed, and only the default AES algorithm is being kept for legacy reasons. This change doesn't have any operational impact in most common scenarios. [GL #605] If you are running multiple DNS Servers (different versions of BIND 9 or DNS server from multiple vendors) responding from the same IP address (anycast or load-balancing scenarios), you'll have to make sure that all the servers are configured with the same DNS Cookie algorithm and same Server Secret for the best performance. The information from the dnssec-signzone and dnssec-verify commands is now printed to standard output. The standard error output is only used to print warnings and errors, and in case the user requests the signed zone to be printed to standard output with -f - option. A new configuration option -q has been added to silence all output on standard output except for the name of the signed zone. DS records included in DNS referral messages can now be validated and cached immediately, reducing the number of queries needed for a DNSSEC validation. [GL #964]

Cache database statistics counters could report invalid values when stale answers were enabled, because of a bug in counter maintenance when cache data becomes stale. The statistics counters have been corrected to report the number of RRsets for each RR type that are active, stale but still potentially served, or stale and marked for deletion. [GL #602] Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause unexpected results; this has been fixed. [GL #1106] named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero. [GL #1159] named-checkconf now correctly reports a missing dnstap-output option when dnstap is set. [GL #1136] Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133] dig now correctly expands the IPv6 address when run with +expandaaaa +short. [GL #1152]