From 49db39abfe3af92a24a765172fe245f98aa8c75b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Wed, 5 Oct 2022 15:21:36 +0200
Subject: [PATCH] Add Known Issue about config incompatibility

(cherry picked from commit 5589d0a49c722c13f78fccdd955c377b9c32c13e)
---
 doc/notes/notes-current.rst | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 97a3c99649..e10f3f03ef 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -20,6 +20,18 @@ Security Fixes
 Known Issues
 ~~~~~~~~~~~~
 
+- Upgrading from BIND 9.16.32, 9.18.6, or older, may require a manual
+  configuration change. The following configurations are affected:
+
+  - :any:`type primary` zones configured with :any:`dnssec-policy` but without
+    either :any:`allow-update` or :any:`update-policy`
+  - :any:`type secondary` zones configured with :any:`dnssec-policy`
+
+  In these cases please add :namedconf:ref:`inline-signing yes;
+  <inline-signing>` to individual zone configuration(s). Without applying this
+  change :iscman:`named` will fail to start. For more details see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
 - BIND 9.18 does not support dynamic updates forwarding (see
   :any:`allow-update-forwarding`) in conjuction with zone transfers
   over TLS (XoT). :gl:`#3512`