Add Known Issue about config incompatibility

author Petr Špaček <pspacek@isc.org>

Wed, 5 Oct 2022 13:21:36 +0000 (15:21 +0200)

committer Petr Špaček <pspacek@isc.org>

Thu, 6 Oct 2022 08:28:19 +0000 (10:28 +0200)
author Petr Špaček <pspacek@isc.org>
Wed, 5 Oct 2022 13:21:36 +0000 (15:21 +0200)
committer Petr Špaček <pspacek@isc.org>
Thu, 6 Oct 2022 08:28:19 +0000 (10:28 +0200)
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst

index 97a3c996492129969296c67554cdaceab3c6fc55..e10f3f03ef2a2ffe64e4abf1ac61d33c84289117 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -20,6 +20,18 @@ Security Fixes
  Known Issues
  ~~~~~~~~~~~~
  
+- Upgrading from BIND 9.16.32, 9.18.6, or older, may require a manual
+  configuration change. The following configurations are affected:
+
+  - :any:`type primary` zones configured with :any:`dnssec-policy` but without
+    either :any:`allow-update` or :any:`update-policy`
+  - :any:`type secondary` zones configured with :any:`dnssec-policy`
+
+  In these cases please add :namedconf:ref:`inline-signing yes;
+  <inline-signing>` to individual zone configuration(s). Without applying this
+  change :iscman:`named` will fail to start. For more details see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
  - BIND 9.18 does not support dynamic updates forwarding (see
    :any:`allow-update-forwarding`) in conjuction with zone transfers
    over TLS (XoT). :gl:`#3512`
author	Petr Špaček <pspacek@isc.org>
	Wed, 5 Oct 2022 13:21:36 +0000 (15:21 +0200)
committer	Petr Špaček <pspacek@isc.org>
	Thu, 6 Oct 2022 08:28:19 +0000 (10:28 +0200)