https://www.isc.org/download/. There you will find additional
information about each release, and source code.
-.. include:: ../notes/notes-known-issues.rst
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+The list of known issues affecting the latest version in the 9.18 branch can be
+found at
+https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18
+
.. include:: ../notes/notes-9.18.31.rst
.. include:: ../notes/notes-9.18.30.rst
.. include:: ../notes/notes-9.18.29.rst
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. _relnotes_known_issues:
-
-Known Issues
-------------
-
-- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
- a manual configuration change. The following configurations are
- affected:
-
- - :any:`type primary` zones configured with :any:`dnssec-policy` but
- without either :any:`allow-update` or :any:`update-policy`,
- - :any:`type secondary` zones configured with :any:`dnssec-policy`.
-
- In these cases please add :namedconf:ref:`inline-signing yes;
- <inline-signing>` to the individual zone configuration(s). Without
- applying this change, :iscman:`named` will fail to start. For more
- details, see
- https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
-
-- BIND 9.18 does not support dynamic update forwarding (see
- :any:`allow-update-forwarding`) in conjuction with zone transfers over
- TLS (XoT). :gl:`#3512`
-
-- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
- be inspected when verifying a remote certificate while establishing a
- DNS-over-TLS connection. Only ``subjectAltName`` must be checked
- instead. Unfortunately, some quite old versions of cryptographic
- libraries might lack the ability to ignore the ``Subject`` field. This
- should have minimal production-use consequences, as most of the
- production-ready certificates issued by certificate authorities will
- have ``subjectAltName`` set. In such cases, the ``Subject`` field is
- ignored. Only old platforms are affected by this, e.g. those supplied
- with OpenSSL versions older than 1.1.1. :gl:`#3163`
-
-- ``rndc`` has been updated to use the new BIND network manager API. As
- the network manager currently has no support for UNIX-domain sockets,
- those cannot now be used with ``rndc``. This will be addressed in a
- future release, either by restoring UNIX-domain socket support or by
- formally declaring them to be obsolete in the control channel.
- :gl:`#1759`
-
-- Sending NOTIFY messages silently fails when the source port specified
- in the :any:`notify-source` statement is already in use. This can
- happen e.g. when multiple servers are configured as NOTIFY targets for
- a zone and some of them are unresponsive. This issue can be worked
- around by not specifying the source port for NOTIFY messages in the
- :any:`notify-source` statement; note that source port configuration is
- already `deprecated`_ and will be removed altogether in a future
- release. :gl:`#4002`
-
-.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781
projects / thirdparty / bind9.git / commitdiff
