diff options
Diffstat (limited to 'doc/notes/notes-known-issues.rst')
| -rw-r--r-- | doc/notes/notes-known-issues.rst | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst new file mode 100644 index 0000000..ee0d0f0 --- /dev/null +++ b/doc/notes/notes-known-issues.rst @@ -0,0 +1,62 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _relnotes_known_issues: + +Known Issues +------------ + +- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require + a manual configuration change. The following configurations are + affected: + + - :any:`type primary` zones configured with :any:`dnssec-policy` but + without either :any:`allow-update` or :any:`update-policy`, + - :any:`type secondary` zones configured with :any:`dnssec-policy`. + + In these cases please add :namedconf:ref:`inline-signing yes; + <inline-signing>` to the individual zone configuration(s). Without + applying this change, :iscman:`named` will fail to start. For more + details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +- BIND 9.18 does not support dynamic update forwarding (see + :any:`allow-update-forwarding`) in conjuction with zone transfers over + TLS (XoT). :gl:`#3512` + +- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT + be inspected when verifying a remote certificate while establishing a + DNS-over-TLS connection. Only ``subjectAltName`` must be checked + instead. Unfortunately, some quite old versions of cryptographic + libraries might lack the ability to ignore the ``Subject`` field. This + should have minimal production-use consequences, as most of the + production-ready certificates issued by certificate authorities will + have ``subjectAltName`` set. In such cases, the ``Subject`` field is + ignored. Only old platforms are affected by this, e.g. those supplied + with OpenSSL versions older than 1.1.1. :gl:`#3163` + +- ``rndc`` has been updated to use the new BIND network manager API. As + the network manager currently has no support for UNIX-domain sockets, + those cannot now be used with ``rndc``. This will be addressed in a + future release, either by restoring UNIX-domain socket support or by + formally declaring them to be obsolete in the control channel. + :gl:`#1759` + +- Sending NOTIFY messages silently fails when the source port specified + in the :any:`notify-source` statement is already in use. This can + happen e.g. when multiple servers are configured as NOTIFY targets for + a zone and some of them are unresponsive. This issue can be worked + around by not specifying the source port for NOTIFY messages in the + :any:`notify-source` statement; note that source port configuration is + already `deprecated`_ and will be removed altogether in a future + release. :gl:`#4002` + +.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781 |