Merge branch 'pspacek/doc-known-issues-reshuffle' into 'main'

Repeat Known Issues at the top of Release Notes page

See merge request isc-projects/bind9!7040

doc/arm/notes.rst

@@ -36,6 +36,8 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
+.. include:: ../notes/notes-known-issues.rst
+
 .. include:: ../notes/notes-current.rst
 .. include:: ../notes/notes-9.19.6.rst
 .. include:: ../notes/notes-9.19.5.rst

doc/notes/notes-9.19.0.rst

@@ -26,6 +26,9 @@ Known Issues
   ignored. Only old platforms are affected by this, e.g. those supplied
   with OpenSSL versions older than 1.1.1. :gl:`#3163`
 
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
 New Features
 ~~~~~~~~~~~~
 

doc/notes/notes-9.19.1.rst

@@ -63,3 +63,10 @@ Bug Fixes
 - Previously, CDS and CDNSKEY DELETE records were removed from the zone
   when configured with the ``auto-dnssec maintain;`` option. This has
   been fixed. :gl:`#2931`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.19.2.rst

@@ -35,3 +35,10 @@ Bug Fixes
   ran, whether the metadata had changed or not. :iscman:`named` now
   checks whether changes were applied before writing out the key files.
   :gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.19.3.rst

@@ -68,3 +68,10 @@ Bug Fixes
 - It was possible for a catalog zone consumer to process a catalog zone
   member zone when there was a configured pre-existing forward-only
   forward zone with the same name. This has been fixed. :gl:`#2506`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.19.4.rst

@@ -57,3 +57,10 @@ Bug Fixes
 - :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
   expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
   the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.19.5.rst

@@ -84,3 +84,10 @@ Bug Fixes
   from cache for lookups that received duplicate queries or queries that
   would be dropped. This bug resulted in premature SERVFAIL responses,
   and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.19.6.rst

@@ -29,6 +29,9 @@ Known Issues
   details, see
   https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
 
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
 New Features
 ~~~~~~~~~~~~
 

doc/notes/notes-current.rst

@@ -17,11 +17,6 @@ Security Fixes
 
 - None.
 
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
 New Features
 ~~~~~~~~~~~~
 
@@ -66,3 +61,10 @@ Bug Fixes
 
 - Fixed a crash that happens when you reconfigure a ``dnssec-policy``
   zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-known-issues.rst

@@ -0,0 +1,40 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may
+  require a manual configuration change. The following configurations
+  are affected:
+
+  - :any:`type primary` zones configured with :any:`dnssec-policy` but
+    without either :any:`allow-update` or :any:`update-policy`,
+  - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+  In these cases please add :namedconf:ref:`inline-signing yes;
+  <inline-signing>` to the individual zone configuration(s). Without
+  applying this change, :iscman:`named` will fail to start. For more
+  details, see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+  be inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the ability to ignore the ``Subject`` field. This
+  should have minimal production-use consequences, as most of the
+  production-ready certificates issued by certificate authorities will
+  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+  ignored. Only old platforms are affected by this, e.g. those supplied
+  with OpenSSL versions older than 1.1.1. :gl:`#3163`