diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 0375eccf54..9bf02c7170 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -33,6 +33,8 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. +.. include:: ../notes/notes-known-issues.rst + .. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.18.8.rst .. include:: ../notes/notes-9.18.7.rst diff --git a/doc/notes/notes-9.18.0.rst b/doc/notes/notes-9.18.0.rst index 70dd015e3b..68f8c9b696 100644 --- a/doc/notes/notes-9.18.0.rst +++ b/doc/notes/notes-9.18.0.rst @@ -26,6 +26,9 @@ Known Issues formally declaring them to be obsolete in the control channel. :gl:`#1759` +- See :ref:`above ` for a list of all known + issues affecting this BIND 9 branch. + New Features ~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst index cdd9575fe2..f76369b4fa 100644 --- a/doc/notes/notes-9.18.1.rst +++ b/doc/notes/notes-9.18.1.rst @@ -98,3 +98,10 @@ Bug Fixes - Build errors were introduced in some DLZ modules due to an incomplete change in the previous release. This has been fixed. :gl:`#3111` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.2.rst b/doc/notes/notes-9.18.2.rst index b4ab69a22d..0111083d8b 100644 --- a/doc/notes/notes-9.18.2.rst +++ b/doc/notes/notes-9.18.2.rst @@ -44,3 +44,10 @@ Bug Fixes - Handling of TCP write timeouts has been improved to track the timeout for each TCP write separately, leading to a faster connection teardown in case the other party is not reading the data. :gl:`#3200` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst index b249ab2eaa..09952c99e7 100644 --- a/doc/notes/notes-9.18.3.rst +++ b/doc/notes/notes-9.18.3.rst @@ -37,6 +37,9 @@ Known Issues ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. :gl:`#3163` +- See :ref:`above ` for a list of all known + issues affecting this BIND 9 branch. + New Features ~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.18.4.rst b/doc/notes/notes-9.18.4.rst index c093bdfe4c..1579bc4912 100644 --- a/doc/notes/notes-9.18.4.rst +++ b/doc/notes/notes-9.18.4.rst @@ -35,3 +35,10 @@ Bug Fixes ran, whether the metadata had changed or not. :iscman:`named` now checks whether changes were applied before writing out the key files. :gl:`#3302` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.5.rst b/doc/notes/notes-9.18.5.rst index a3ab591fa0..546b1b3de7 100644 --- a/doc/notes/notes-9.18.5.rst +++ b/doc/notes/notes-9.18.5.rst @@ -50,3 +50,10 @@ Bug Fixes - It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. :gl:`#2506` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.6.rst b/doc/notes/notes-9.18.6.rst index 546dfa7b3c..3ed788f2b9 100644 --- a/doc/notes/notes-9.18.6.rst +++ b/doc/notes/notes-9.18.6.rst @@ -53,3 +53,10 @@ Bug Fixes - :option:`rndc dumpdb -expired ` was fixed to include expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and the cache-cleaning time window has passed. :gl:`#3462` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst index e54297278e..dade98ed4d 100644 --- a/doc/notes/notes-9.18.7.rst +++ b/doc/notes/notes-9.18.7.rst @@ -71,3 +71,10 @@ Bug Fixes from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. :gl:`#2982` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.8.rst b/doc/notes/notes-9.18.8.rst index 213aeca6f1..457f470491 100644 --- a/doc/notes/notes-9.18.8.rst +++ b/doc/notes/notes-9.18.8.rst @@ -33,6 +33,9 @@ Known Issues :any:`allow-update-forwarding`) in conjuction with zone transfers over TLS (XoT). :gl:`#3512` +- See :ref:`above ` for a list of all known + issues affecting this BIND 9 branch. + New Features ~~~~~~~~~~~~ diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 53c913e432..83511c07bb 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -17,11 +17,6 @@ Security Fixes - None. -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -63,3 +58,10 @@ Bug Fixes - Fixed a crash that happens when you reconfigure a ``dnssec-policy`` zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst new file mode 100644 index 0000000000..bb8e937d3e --- /dev/null +++ b/doc/notes/notes-known-issues.rst @@ -0,0 +1,51 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _relnotes_known_issues: + +Known Issues +------------ + +- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require + a manual configuration change. The following configurations are + affected: + + - :any:`type primary` zones configured with :any:`dnssec-policy` but + without either :any:`allow-update` or :any:`update-policy`, + - :any:`type secondary` zones configured with :any:`dnssec-policy`. + + In these cases please add :namedconf:ref:`inline-signing yes; + ` to the individual zone configuration(s). Without + applying this change, :iscman:`named` will fail to start. For more + details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +- BIND 9.18 does not support dynamic update forwarding (see + :any:`allow-update-forwarding`) in conjuction with zone transfers over + TLS (XoT). :gl:`#3512` + +- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT + be inspected when verifying a remote certificate while establishing a + DNS-over-TLS connection. Only ``subjectAltName`` must be checked + instead. Unfortunately, some quite old versions of cryptographic + libraries might lack the ability to ignore the ``Subject`` field. This + should have minimal production-use consequences, as most of the + production-ready certificates issued by certificate authorities will + have ``subjectAltName`` set. In such cases, the ``Subject`` field is + ignored. Only old platforms are affected by this, e.g. those supplied + with OpenSSL versions older than 1.1.1. :gl:`#3163` + +- ``rndc`` has been updated to use the new BIND network manager API. As + the network manager currently has no support for UNIX-domain sockets, + those cannot now be used with ``rndc``. This will be addressed in a + future release, either by restoring UNIX-domain socket support or by + formally declaring them to be obsolete in the control channel. + :gl:`#1759`