- An experimental "Source Identity Token" (SIT) EDNS option
  is now available.  Similar to DNS Cookies as invented by
  Donald Eastlake 3rd, these are designed to enable clients
  to detect off-path spoofed responses, and to enable servers
  to detect spoofed-source queries.  Servers can be configured
  to send smaller responses to clients that have not identified
  themselves using a SIT option, reducing the effectiveness of
  amplification attacks.  RRL processing has also been updated;
  clients proven to be legitimate via SIT are not subject to
  rate limiting.  Use "configure --enable-sit" to enable this
  feature in BIND.
- A new "configure --with-tuning=large" option tunes certain
  compiled-in constants and default settings to values better
  suited to large servers with abundant memory.  This can
  improve performance on such servers, but will consume more
  memory and may degrade performance on smaller systems.
- ACLs can now be specified based on geographic location
  using the MaxMind GeoIP databases.  Use "configure
  --with-geoip" to enable.