https://www.isc.org/download/. There you will find additional
information about each release, and source code.
+.. include:: ../notes/notes-known-issues.rst
+
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.19.6.rst
.. include:: ../notes/notes-9.19.5.rst
ignored. Only old platforms are affected by this, e.g. those supplied
with OpenSSL versions older than 1.1.1. :gl:`#3163`
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
New Features
~~~~~~~~~~~~
- Previously, CDS and CDNSKEY DELETE records were removed from the zone
when configured with the ``auto-dnssec maintain;`` option. This has
been fixed. :gl:`#2931`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
ran, whether the metadata had changed or not. :iscman:`named` now
checks whether changes were applied before writing out the key files.
:gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
- It was possible for a catalog zone consumer to process a catalog zone
member zone when there was a configured pre-existing forward-only
forward zone with the same name. This has been fixed. :gl:`#2506`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
New Features
~~~~~~~~~~~~
- None.
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
New Features
~~~~~~~~~~~~
- Fixed a crash that happens when you reconfigure a ``dnssec-policy``
zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
--- /dev/null
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may
+ require a manual configuration change. The following configurations
+ are affected:
+
+ - :any:`type primary` zones configured with :any:`dnssec-policy` but
+ without either :any:`allow-update` or :any:`update-policy`,
+ - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+ In these cases please add :namedconf:ref:`inline-signing yes;
+ <inline-signing>` to the individual zone configuration(s). Without
+ applying this change, :iscman:`named` will fail to start. For more
+ details, see
+ https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+ be inspected when verifying a remote certificate while establishing a
+ DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+ instead. Unfortunately, some quite old versions of cryptographic
+ libraries might lack the ability to ignore the ``Subject`` field. This
+ should have minimal production-use consequences, as most of the
+ production-ready certificates issued by certificate authorities will
+ have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+ ignored. Only old platforms are affected by this, e.g. those supplied
+ with OpenSSL versions older than 1.1.1. :gl:`#3163`
projects / thirdparty / bind9.git / commitdiff
