summaryrefslogtreecommitdiffstats
path: root/doc/notes
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/notes/notes-9.18.0.rst346
-rw-r--r--doc/notes/notes-9.18.1.rst107
-rw-r--r--doc/notes/notes-9.18.10.rst80
-rw-r--r--doc/notes/notes-9.18.11.rst112
-rw-r--r--doc/notes/notes-9.18.12.rst54
-rw-r--r--doc/notes/notes-9.18.13.rst75
-rw-r--r--doc/notes/notes-9.18.14.rst46
-rw-r--r--doc/notes/notes-9.18.15.rst57
-rw-r--r--doc/notes/notes-9.18.16.rst72
-rw-r--r--doc/notes/notes-9.18.17.rst42
-rw-r--r--doc/notes/notes-9.18.18.rst47
-rw-r--r--doc/notes/notes-9.18.19.rst96
-rw-r--r--doc/notes/notes-9.18.2.rst53
-rw-r--r--doc/notes/notes-9.18.3.rst73
-rw-r--r--doc/notes/notes-9.18.4.rst44
-rw-r--r--doc/notes/notes-9.18.5.rst59
-rw-r--r--doc/notes/notes-9.18.6.rst62
-rw-r--r--doc/notes/notes-9.18.7.rst80
-rw-r--r--doc/notes/notes-9.18.8.rst68
-rw-r--r--doc/notes/notes-9.18.9.rst61
-rw-r--r--doc/notes/notes-known-issues.rst62
21 files changed, 1696 insertions, 0 deletions
diff --git a/doc/notes/notes-9.18.0.rst b/doc/notes/notes-9.18.0.rst
new file mode 100644
index 0000000..68f8c9b
--- /dev/null
+++ b/doc/notes/notes-9.18.0.rst
@@ -0,0 +1,346 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.0
+---------------------
+
+.. note:: This section only lists changes since BIND 9.16.25, the most
+ recent release on the previous stable branch of BIND before
+ the publication of BIND 9.18.0.
+
+Known Issues
+~~~~~~~~~~~~
+
+- ``rndc`` has been updated to use the new BIND network manager API. As
+ the network manager currently has no support for UNIX-domain sockets,
+ those cannot now be used with ``rndc``. This will be addressed in a
+ future release, either by restoring UNIX-domain socket support or by
+ formally declaring them to be obsolete in the control channel.
+ :gl:`#1759`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- ``named`` now supports securing DNS traffic using Transport Layer
+ Security (TLS). TLS is used by both DNS over TLS (DoT) and
+ DNS over HTTPS (DoH).
+
+ ``named`` can use either a certificate provided by the user or an
+ ephemeral certificate generated automatically upon startup. The
+ :any:`tls` block allows fine-grained control over TLS
+ parameters. :gl:`#1840` :gl:`#2795` :gl:`#2796`
+
+ For debugging purposes, ``named`` logs TLS pre-master secrets when the
+ ``SSLKEYLOGFILE`` environment variable is set. This enables
+ troubleshooting of issues with encrypted traffic. :gl:`#2723`
+
+- Support for DNS over TLS (DoT) has been added to ``named``. Network
+ interfaces for DoT are configured using the existing
+ :ref:`listen-on <interfaces>` directive, while TLS parameters are
+ configured using the new :any:`tls` block. :gl:`#1840`
+
+ ``named`` supports :rfc:`zone transfers over TLS <9103>`
+ (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.
+
+ Incoming zone transfers over TLS are enabled by adding the :any:`tls`
+ keyword, followed by either the name of a previously configured
+ :any:`tls` block or the string ``ephemeral``, to the
+ addresses included in :any:`primaries` lists.
+ :gl:`#2392`
+
+ Similarly, the :any:`allow-transfer` option
+ was extended to accept additional ``port`` and ``transport``
+ parameters, to further restrict outgoing zone transfers to a
+ particular port and/or DNS transport protocol. :gl:`#2776`
+
+ Note that zone transfers over TLS (XoT) require the ``dot``
+ Application-Layer Protocol Negotiation (ALPN) token to be selected in
+ the TLS handshake, as required by :rfc:`9103` section 7.1. This might
+ cause issues with non-compliant XoT servers. :gl:`#2794`
+
+ The ``dig`` tool is now able to send DoT queries (``+tls`` option).
+ :gl:`#1840`
+
+ There is currently no support for forwarding DNS queries via DoT.
+
+- Support for DNS over HTTPS (DoH) has been added to ``named``. Both
+ TLS-encrypted and unencrypted connections are supported (the latter
+ may be used to offload encryption to other software). Network
+ interfaces for DoH are configured using the existing
+ :ref:`listen-on <interfaces>` directive, while TLS parameters are
+ configured using the new :any:`tls` block and HTTP
+ parameters are configured using the new :any:`http` block.
+ :gl:`#1144` :gl:`#2472`
+
+ Server-side quotas on both the number of concurrent DoH connections
+ and the number of active HTTP/2 streams per connection can be
+ configured using the global :any:`http-listener-clients` and
+ :any:`http-streams-per-connection` options, or the :any:`listener-clients`
+ and :any:`streams-per-connection` parameters in an
+ :any:`http block <http>`. :gl:`#2809`
+
+ The ``dig`` tool is now able to send DoH queries (``+https`` option).
+ :gl:`#1641`
+
+ There is currently no support for forwarding DNS queries via DoH.
+
+ DoH support can be disabled at compile time using a new build-time
+ option, ``--disable-doh``. This allows BIND 9 to be built without the
+ `libnghttp2`_ library. :gl:`#2478`
+
+- A new logging category, ``rpz-passthru``, was added, which allows RPZ
+ passthru actions to be logged into a separate channel. :gl:`#54`
+
+- A new option, ``nsdname-wait-recurse``, has been added to the
+ :any:`response-policy` clause in the configuration file. When set to
+ ``no``, RPZ NSDNAME rules are only applied if the authoritative
+ nameservers for the query name have been looked up and are present in
+ the cache. If this information is not present, the RPZ NSDNAME rules
+ are ignored, but the information is looked up in the background and
+ applied to subsequent queries. The default is ``yes``, meaning that
+ RPZ NSDNAME rules should always be applied, even if the information
+ needs to be looked up first. :gl:`#1138`
+
+- Support for HTTPS and SVCB record types now also includes ADDITIONAL
+ section processing for these record types. :gl:`#1132`
+
+- New configuration options, :any:`tcp-receive-buffer`,
+ :any:`tcp-send-buffer`, :any:`udp-receive-buffer`, and :any:`udp-send-buffer`,
+ have been added. These options allow the operator to fine-tune the
+ receiving and sending buffers in the operating system. On busy
+ servers, increasing the size of the receive buffers can prevent the
+ server from dropping packets during short traffic spikes, and
+ decreasing it can prevent the server from becoming clogged with
+ queries that are too old and have already timed out. :gl:`#2313`
+
+- New finer-grained :any:`update-policy` rule types,
+ ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
+ These rule types restrict updates to SRV and PTR records so that their
+ content can only match the machine name embedded in the Kerberos
+ principal making the change. :gl:`#481`
+
+- Per-type record count limits can now be specified in :any:`update-policy`
+ statements, to limit the number of records of a particular type that
+ can be added to a domain name via dynamic update. :gl:`#1657`
+
+- Support for OpenSSL 3.0 APIs was added. :gl:`#2843` :gl:`#3057`
+
+- Extended DNS Error Code 18 - Prohibited (see :rfc:`8914` section
+ 4.19) is now set if query access is denied to the specific client.
+ :gl:`#1836`
+
+- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385`
+
+- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
+ This is useful when the host on which ``dig`` is run is behind an
+ IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
+ Service). :gl:`#1154`
+
+- ``dig`` output now includes the transport protocol used (UDP, TCP,
+ TLS, HTTPS). :gl:`#1144` :gl:`#1816`
+
+- ``dig +qid=<num>`` allows the user to specify a particular query ID
+ for testing purposes. :gl:`#1851`
+
+.. _libnghttp2: https://nghttp2.org/
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for the ``map`` zone file format (``masterfile-format map;``)
+ has been removed. Users relying on the ``map`` format are advised to
+ convert their zones to the ``raw`` format with ``named-compilezone``
+ and change the configuration appropriately prior to upgrading BIND 9.
+ :gl:`#2882`
+
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+ enabled in ``named`` at build time have been removed. New-style DLZ
+ modules should be used as a replacement. :gl:`#2814`
+
+- Support for compiling and running BIND 9 natively on Windows has been
+ completely removed. The last stable release branch that has working
+ Windows support is BIND 9.16. :gl:`#2690`
+
+- Native PKCS#11 support has been removed. :gl:`#2691`
+
+ When built against OpenSSL 1.x, BIND 9 now
+ :ref:`uses engine_pkcs11 for PKCS#11 <pkcs11>`. engine_pkcs11 is an
+ OpenSSL engine which is part of the `OpenSC`_ project.
+
+ As support for so-called "engines" was deprecated in OpenSSL 3.x,
+ compiling BIND 9 against an OpenSSL 3.x build which does not retain
+ support for deprecated APIs makes it impossible to use PKCS#11 in BIND
+ 9. A replacement for engine_pkcs11 which employs the new "provider"
+ approach introduced in OpenSSL 3.x is in the making. :gl:`#2843`
+
+- The utilities ``dnssec-checkds``, ``dnssec-coverage``, and
+ ``dnssec-keymgr`` have been removed from the BIND distribution, as well
+ as the ``isc`` Python package. DNSSEC features formerly provided
+ by these utilities are now integrated into ``named``.
+ See the :any:`dnssec-policy` configuration option
+ for more details.
+
+ An archival version of the Python utilities has been moved to
+ the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/.
+ Please note these tools are no longer supported by ISC.
+
+- Since the old socket manager API has been removed, "socketmgr"
+ statistics are no longer reported by the
+ :any:`statistics-channels`. :gl:`#2926`
+
+- The :any:`glue-cache` *option* has been marked as deprecated. The glue
+ cache *feature* still works and will be permanently *enabled* in a
+ future release. :gl:`#2146`
+
+- A number of non-working configuration options that had been marked as
+ obsolete in previous releases have now been removed completely. Using
+ any of the following options is now considered a configuration
+ failure: ``acache-cleaning-interval``, ``acache-enable``,
+ ``additional-from-auth``, ``additional-from-cache``,
+ ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``,
+ ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``,
+ ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
+ ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
+ ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
+ ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086`
+
+- The ``dig`` option ``+unexpected`` has been removed. :gl:`#2140`
+
+- IPv6 sockets are now explicitly restricted to sending and receiving
+ IPv6 packets only. As this breaks the ``+mapped`` option for ``dig``,
+ the option has been removed. :gl:`#3093`
+
+- Disable and disallow static linking of BIND 9 binaries and libraries
+ as BIND 9 modules require ``dlopen()`` support and static linking also
+ prevents using security features like read-only relocations (RELRO) or
+ address space layout randomization (ASLR) which are important for
+ programs that interact with the network and process arbitrary user
+ input. :gl:`#1933`
+
+- The ``--with-gperftools-profiler`` ``configure`` option was removed.
+ To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro
+ now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to
+ be present in ``LDFLAGS``. :gl:`!4045`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Aggressive Use of DNSSEC-Validated Cache (:any:`synth-from-dnssec`, see
+ :rfc:`8198`) is now enabled by default again, after having been
+ disabled in BIND 9.14.8. The implementation of this feature was
+ reworked to achieve better efficiency and tuned to ignore certain
+ types of broken NSEC records. Negative answer synthesis is currently
+ only supported for zones using NSEC. :gl:`#1265`
+
+- The default NSEC3 parameters for :any:`dnssec-policy` were updated to no
+ extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). This
+ change is in line with the `latest NSEC3 recommendations`_.
+ :gl:`#2956`
+
+- The default for :any:`dnssec-dnskey-kskonly` was changed to ``yes``. This
+ means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
+ the KSK by default. The additional signatures prepared using the ZSK
+ when the option is set to ``no`` add to the DNS response payload
+ without offering added value. :gl:`#1316`
+
+- ``dnssec-cds`` now only generates SHA-2 DS records by default and
+ avoids copying deprecated SHA-1 records from a child zone to its
+ delegation in the parent. If the child zone does not publish SHA-2 CDS
+ records, ``dnssec-cds`` will generate them from the CDNSKEY records.
+ The ``-a algorithm`` option now affects the process of generating DS
+ digest records from both CDS and CDNSKEY records. Thanks to Tony
+ Finch. :gl:`#2871`
+
+- Previously, ``named`` accepted FORMERR responses both with and without
+ an OPT record, as an indication that a given server did not support
+ EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
+ responses without an OPT record are now accepted. This intentionally
+ breaks communication with servers that do not support EDNS and that
+ incorrectly echo back the query message with the RCODE field set to
+ FORMERR and the QR bit set to 1. :gl:`#2249`
+
+- The question section is now checked when processing AXFR, IXFR, and
+ SOA replies while transferring a zone in. :gl:`#1683`
+
+- DNS Flag Day 2020: the EDNS buffer size probing code, which made the
+ resolver adjust the EDNS buffer size used for outgoing queries based
+ on the successful query responses and timeouts observed, was removed.
+ The resolver now always uses the EDNS buffer size set in
+ :any:`edns-udp-size` for all outgoing queries. :gl:`#2183`
+
+- Keeping stale answers in cache (:any:`stale-cache-enable`) has been
+ disabled by default. :gl:`#1712`
+
+- Overall memory use by ``named`` has been optimized and significantly
+ reduced, especially for resolver workloads. :gl:`#2398` :gl:`#3048`
+
+- Memory allocation is now based on the memory allocation API provided
+ by the `jemalloc`_ library, on platforms where it is available. Use of
+ this library is now recommended when building BIND 9; although it is
+ optional, it is enabled by default. :gl:`#2433`
+
+- Internal data structures maintained for each cache database are now
+ grown incrementally when they need to be expanded. This helps maintain
+ a steady response rate on a loaded resolver while these internal data
+ structures are resized. :gl:`#2941`
+
+- The interface handling code has been refactored to use fewer
+ resources, which should lead to less memory fragmentation and better
+ startup performance. :gl:`#2433`
+
+- When reporting zone types in the statistics channel, the terms
+ :any:`primary <type primary>` and :any:`secondary <type secondary>` are now used instead of ``master`` and
+ ``slave``, respectively. :gl:`#1944`
+
+- The ``rndc nta -dump`` and ``rndc secroots`` commands now both include
+ :any:`validate-except` entries when listing negative trust anchors. These
+ are indicated by the keyword ``permanent`` in place of the expiry
+ date. :gl:`#1532`
+
+- The output of ``rndc serve-stale status`` has been clarified. It now
+ explicitly reports whether retention of stale data in the cache is
+ enabled (:any:`stale-cache-enable`), and whether returning such data in
+ responses is enabled (:any:`stale-answer-enable`). :gl:`#2742`
+
+- Previously, using ``dig +bufsize=0`` had the side effect of disabling
+ EDNS, and there was no way to test the remote server's behavior when
+ it had received a packet with EDNS0 buffer size set to 0. This is no
+ longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS
+ version 0 and buffer size set to 0. To disable EDNS, use ``dig
+ +noedns``. :gl:`#2054`
+
+- BIND 9 binaries which are neither daemons nor administrative programs
+ were moved to ``$bindir``. Only ``ddns-confgen``, ``named``, ``rndc``,
+ ``rndc-confgen``, and ``tsig-confgen`` were left in ``$sbindir``.
+ :gl:`#1724`
+
+- The BIND 9 build system has been changed to use a typical
+ autoconf+automake+libtool stack. This should not make any difference
+ for people building BIND 9 from release tarballs, but when building
+ BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
+ first. Extra attention is also needed when using non-standard
+ ``configure`` options. :gl:`#4`
+
+.. _latest NSEC3 recommendations: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-02
+
+.. _jemalloc: http://jemalloc.net/
+
+Bug Fixes
+~~~~~~~~~
+
+- Log files using ``timestamp``-style suffixes were not always correctly
+ removed when the number of files exceeded the limit set by
+ ``versions``. This has been fixed. :gl:`#828`
diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst
new file mode 100644
index 0000000..f76369b
--- /dev/null
+++ b/doc/notes/notes-9.18.1.rst
@@ -0,0 +1,107 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.1
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The rules for acceptance of records into the cache have been tightened
+ to prevent the possibility of poisoning if forwarders send records
+ outside the configured bailiwick. (CVE-2021-25220)
+
+ ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
+ Network and Information Security Lab, Tsinghua University, and
+ Changgen Zou from Qi An Xin Group Corp. for bringing this
+ vulnerability to our attention. :gl:`#2950`
+
+- TCP connections with :any:`keep-response-order` enabled could leave the
+ TCP sockets in the ``CLOSE_WAIT`` state when the client did not
+ properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+
+- Lookups involving a DNAME could trigger an assertion failure when
+ :any:`synth-from-dnssec` was enabled (which is the default).
+ (CVE-2022-0635)
+
+ ISC would like to thank Vincent Levigneron from AFNIC for bringing
+ this vulnerability to our attention. :gl:`#3158`
+
+- When chasing DS records, a timed-out or artificially delayed fetch
+ could cause ``named`` to crash while resuming a DS lookup.
+ (CVE-2022-0667) :gl:`#3129`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
+ by a client are now included in the client information sent to DLZ
+ modules when processing queries. :gl:`#3082`
+
+- DEBUG(1)-level messages were added when starting and ending the BIND 9
+ task-exclusive mode that stops normal DNS operation (e.g. for
+ reconfiguration, interface scans, and other events that require
+ exclusive access to a shared resource). :gl:`#3137`
+
+- The limit on the number of simultaneously processed pipelined DNS
+ queries received over TCP has been removed. Previously, it was capped
+ at 23 queries processed at the same time. :gl:`#3141`
+
+Bug Fixes
+~~~~~~~~~
+
+- A failed view configuration during a ``named`` reconfiguration
+ procedure could cause inconsistencies in BIND internal structures,
+ causing a crash or other unexpected errors. This has been fixed.
+ :gl:`#3060`
+
+- Previously, ``named`` logged a "quota reached" message when it hit its
+ hard quota on the number of connections. That message was accidentally
+ removed but has now been restored. :gl:`#3125`
+
+- The :any:`max-transfer-time-out` and :any:`max-transfer-idle-out` options
+ were not implemented when the BIND 9 networking stack was refactored
+ in 9.16. The missing functionality has been re-implemented and
+ outgoing zone transfers now time out properly when not progressing.
+ :gl:`#1897`
+
+- TCP connections could hang indefinitely if the other party did not
+ read sent data, causing the TCP write buffers to fill. This has been
+ fixed by adding a "write" timer. Connections that are hung while
+ writing now time out after the :any:`tcp-idle-timeout` period has
+ elapsed. :gl:`#3132`
+
+- Client TCP connections are now closed immediately when data received
+ cannot be parsed as a valid DNS request. :gl:`#3149`
+
+- The statistics counter representing the current number of clients
+ awaiting recursive resolution results (``RecursClients``) could be
+ miscalculated in certain resolution scenarios, potentially causing the
+ value of the counter to drop below zero. This has been fixed.
+ :gl:`#3147`
+
+- An error in the processing of the :any:`blackhole` ACL could cause some
+ DNS requests sent by :iscman:`named` to fail - for example, zone
+ transfer requests and SOA refresh queries - if the destination address
+ or prefix was specifically excluded from the ACL using ``!``, or if
+ the ACL was set to ``none``. This has now been fixed. :any:`blackhole`
+ worked correctly when it was left unset, or if only positive-match
+ elements were included. :gl:`#3157`
+
+- Build errors were introduced in some DLZ modules due to an incomplete
+ change in the previous release. This has been fixed. :gl:`#3111`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.10.rst b/doc/notes/notes-9.18.10.rst
new file mode 100644
index 0000000..2fb54f3
--- /dev/null
+++ b/doc/notes/notes-9.18.10.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.10
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- To reduce unnecessary memory consumption in the cache, NXDOMAIN
+ records are no longer retained past the normal negative cache TTL,
+ even if :any:`stale-cache-enable` is set to ``yes``. :gl:`#3386`
+
+- The :any:`auto-dnssec` option has been deprecated and will be removed
+ in a future BIND 9.19.x release. Please migrate to
+ :any:`dnssec-policy`. :gl:`#3667`
+
+- The :any:`coresize`, :any:`datasize`, :any:`files`, and
+ :any:`stacksize` options have been deprecated. The limits these
+ options set should be enforced externally, either by manual
+ configuration (e.g. using ``ulimit``) or via the process supervisor
+ (e.g. ``systemd``). :gl:`#3676`
+
+- Setting alternate local addresses for inbound zone transfers has been
+ deprecated. The relevant options (:any:`alt-transfer-source`,
+ :any:`alt-transfer-source-v6`, and :any:`use-alt-transfer-source`)
+ will be removed in a future BIND 9.19.x release. :gl:`#3694`
+
+- The number of HTTP headers allowed in requests sent to
+ :iscman:`named`'s statistics channel has been increased from 10 to
+ 100, to accommodate some browsers that send more than 10 headers
+ by default. :gl:`#3670`
+
+Bug Fixes
+~~~~~~~~~
+
+- :iscman:`named` could crash due to an assertion failure when an HTTP
+ connection to the statistics channel was closed prematurely (due to a
+ connection error, shutdown, etc.). This has been fixed. :gl:`#3693`
+
+- When a catalog zone was removed from the configuration, in some cases
+ a dangling pointer could cause the :iscman:`named` process to crash.
+ This has been fixed. :gl:`#3683`
+
+- When a zone was deleted from a server, a key management object related
+ to that zone was inadvertently kept in memory and only released upon
+ shutdown. This could lead to constantly increasing memory use on
+ servers with a high rate of changes affecting the set of zones being
+ served. This has been fixed. :gl:`#3727`
+
+- TLS configuration for primary servers was not applied for zones that
+ were members of a catalog zone. This has been fixed. :gl:`#3638`
+
+- In certain cases, :iscman:`named` waited for the resolution of
+ outstanding recursive queries to finish before shutting down. This was
+ unintended and has been fixed. :gl:`#3183`
+
+- :iscman:`host` and :iscman:`nslookup` command-line options setting the
+ custom TCP/UDP port to use were ignored for ANY queries (which are
+ sent over TCP). This has been fixed. :gl:`#3721`
+
+- The ``zone <name>/<class>: final reference detached`` log message was
+ moved from the INFO log level to the DEBUG(1) log level to prevent the
+ :iscman:`named-checkzone` tool from superfluously logging this message
+ in non-debug mode. :gl:`#3707`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst
new file mode 100644
index 0000000..3e44dc2
--- /dev/null
+++ b/doc/notes/notes-9.18.11.rst
@@ -0,0 +1,112 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.11
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+ available memory. This flaw was addressed by adding a new
+ :any:`update-quota` option that controls the maximum number of
+ outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+ queue at any given time (default: 100). (CVE-2022-3094)
+
+ ISC would like to thank Rob Schulhof from Infoblox for bringing this
+ vulnerability to our attention. :gl:`#3523`
+
+- :iscman:`named` could crash with an assertion failure when an RRSIG
+ query was received and :any:`stale-answer-client-timeout` was set to a
+ non-zero value. This has been fixed. (CVE-2022-3736)
+
+ ISC would like to thank Borja Marcos from Sarenet (with assistance by
+ Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
+ our attention. :gl:`#3622`
+
+- :iscman:`named` running as a resolver with the
+ :any:`stale-answer-client-timeout` option set to any value greater
+ than ``0`` could crash with an assertion failure, when the
+ :any:`recursive-clients` soft quota was reached. This has been fixed.
+ (CVE-2022-3924)
+
+ ISC would like to thank Maksym Odinintsev from AWS for bringing this
+ vulnerability to our attention. :gl:`#3619`
+
+New Features
+~~~~~~~~~~~~
+
+- The new :any:`update-quota` option can be used to control the number
+ of simultaneous DNS UPDATE messages that can be processed to update an
+ authoritative zone on a primary server, or forwarded to the primary
+ server by a secondary server. The default is 100. A new statistics
+ counter has also been added to record events when this quota is
+ exceeded, and the version numbers for the XML and JSON statistics
+ schemas have been updated. :gl:`#3523`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The Differentiated Services Code Point (DSCP) feature in BIND has been
+ non-operational since the new Network Manager was introduced in BIND
+ 9.16. It is now marked as obsolete, and vestigial code implementing it
+ has been removed. Configuring DSCP values in ``named.conf`` now causes
+ a warning to be logged. :gl:`#3773`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The catalog zone implementation has been optimized to work with
+ hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744`
+
+Bug Fixes
+~~~~~~~~~
+
+- A rare assertion failure was fixed in outgoing TCP DNS connection
+ handling. :gl:`#3178` :gl:`#3636`
+
+- Large zone transfers over TLS (XoT) could fail. This has been fixed.
+ :gl:`#3772`
+
+- In addition to a previously fixed bug, another similar issue was
+ discovered where quotas could be erroneously reached for servers,
+ including any configured forwarders, resulting in SERVFAIL answers
+ being sent to clients. This has been fixed. :gl:`#3752`
+
+- In certain query resolution scenarios (e.g. when following CNAME
+ records), :iscman:`named` configured to answer from stale cache could
+ return a SERVFAIL response despite a usable, non-stale answer being
+ present in the cache. This has been fixed. :gl:`#3678`
+
+- When an outgoing request timed out, :iscman:`named` would retry up to
+ three times with the same server instead of trying the next available
+ name server. This has been fixed. :gl:`#3637`
+
+- Recently used ADB names and ADB entries (IP addresses) could get
+ cleaned when ADB was under memory pressure. To mitigate this, only
+ actual ADB names and ADB entries are now counted (excluding internal
+ memory structures used for "housekeeping") and recently used (<= 10
+ seconds) ADB names and entries are excluded from the overmem memory
+ cleaner. :gl:`#3739`
+
+- The "Prohibited" Extended DNS Error was inadvertently set in some
+ NOERROR responses. This has been fixed. :gl:`#3743`
+
+- Previously, TLS session resumption could have led to handshake
+ failures when client certificates were used for authentication (Mutual
+ TLS). This has been fixed. :gl:`#3725`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.12.rst b/doc/notes/notes-9.18.12.rst
new file mode 100644
index 0000000..be2046a
--- /dev/null
+++ b/doc/notes/notes-9.18.12.rst
@@ -0,0 +1,54 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.12
+----------------------
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Specifying a ``port`` when configuring source addresses (i.e., as an
+ argument to :any:`query-source`, :any:`query-source-v6`,
+ :any:`transfer-source`, :any:`transfer-source-v6`,
+ :any:`notify-source`, :any:`notify-source-v6`, :any:`parental-source`,
+ or :any:`parental-source-v6`, or in the ``source`` or ``source-v6``
+ arguments to :any:`primaries`, :any:`parental-agents`,
+ :any:`also-notify`, or :any:`catalog-zones`) has been deprecated. In
+ addition, the :any:`use-v4-udp-ports`, :any:`use-v6-udp-ports`,
+ :any:`avoid-v4-udp-ports`, and :any:`avoid-v6-udp-ports` options have
+ also been deprecated.
+
+ Warnings are now logged when any of these options are encountered in
+ ``named.conf``. In a future release, they will be made nonfunctional.
+ :gl:`#3781`
+
+Bug Fixes
+~~~~~~~~~
+
+- A constant stream of zone additions and deletions via ``rndc
+ reconfig`` could cause increased memory consumption due to delayed
+ cleaning of view memory. This has been fixed. :gl:`#3801`
+
+- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
+ NSEC3 hashing, has been improved. :gl:`#3795`
+
+- Pointing :any:`parental-agents` to a resolver did not work because the
+ RD bit was not set on DS requests. This has been fixed. :gl:`#3783`
+
+- Building BIND 9 failed when the ``--enable-dnsrps`` switch for
+ ``./configure`` was used. This has been fixed. :gl:`#3827`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.13.rst b/doc/notes/notes-9.18.13.rst
new file mode 100644
index 0000000..90b374a
--- /dev/null
+++ b/doc/notes/notes-9.18.13.rst
@@ -0,0 +1,75 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.13
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- RPZ updates are now run on specialized "offload" threads to reduce the
+ amount of time they block query processing on the main networking
+ threads. This increases the responsiveness of :iscman:`named` when RPZ
+ updates are being applied after an RPZ zone has been successfully
+ transferred. :gl:`#3190`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Catalog zone updates are now run on specialized "offload" threads to
+ reduce the amount of time they block query processing on the main
+ networking threads. This increases the responsiveness of
+ :iscman:`named` when catalog zone updates are being applied after a
+ catalog zone has been successfully transferred. :gl:`#3881`
+
+- libuv support for receiving multiple UDP messages in a single
+ ``recvmmsg()`` system call has been tweaked several times between
+ libuv versions 1.35.0 and 1.40.0; the current recommended libuv
+ version is 1.40.0 or higher. New rules are now in effect for running
+ with a different version of libuv than the one used at compilation
+ time. These rules may trigger a fatal error at startup:
+
+ - Building against or running with libuv versions 1.35.0 and 1.36.0 is
+ now a fatal error.
+
+ - Running with libuv version higher than 1.34.2 is now a fatal error
+ when :iscman:`named` is built against libuv version 1.34.2 or lower.
+
+ - Running with libuv version higher than 1.39.0 is now a fatal error
+ when :iscman:`named` is built against libuv version 1.37.0, 1.38.0,
+ 1.38.1, or 1.39.0.
+
+ This prevents the use of libuv versions that may trigger an assertion
+ failure when receiving multiple UDP messages in a single system call.
+ :gl:`#3840`
+
+Bug Fixes
+~~~~~~~~~
+
+- :iscman:`named` could crash with an assertion failure when adding a
+ new zone into the configuration file for a name which was already
+ configured as a member zone for a catalog zone. This has been fixed.
+ :gl:`#3911`
+
+- When :iscman:`named` starts up, it sends a query for the DNSSEC key
+ for each configured trust anchor to determine whether the key has
+ changed. In some unusual cases, the query might depend on a zone for
+ which the server is itself authoritative, and would have failed if it
+ were sent before the zone was fully loaded. This has now been fixed by
+ delaying the key queries until all zones have finished loading.
+ :gl:`#3673`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.14.rst b/doc/notes/notes-9.18.14.rst
new file mode 100644
index 0000000..38e0256
--- /dev/null
+++ b/doc/notes/notes-9.18.14.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.14
+----------------------
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Zone type ``delegation-only``, and the ``delegation-only`` and
+ ``root-delegation-only`` statements, have been deprecated.
+ A warning is now logged when they are used.
+
+ These statements were created to address the SiteFinder controversy,
+ in which certain top-level domains redirected misspelled queries to
+ other sites instead of returning NXDOMAIN responses. Since top-level
+ domains are now DNSSEC-signed, and DNSSEC validation is active by
+ default, the statements are no longer needed. :gl:`#3953`
+
+Bug Fixes
+~~~~~~~~~
+
+- Several bugs which could cause :iscman:`named` to crash during catalog
+ zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997`
+
+- Previously, downloading large zones over TLS (XoT) from a primary
+ could hang the transfer on the secondary, especially when the
+ connection was unstable. This has been fixed. :gl:`#3867`
+
+- Performance of DNSSEC validation in zones with many DNSKEY records has
+ been improved. :gl:`#3981`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.15.rst b/doc/notes/notes-9.18.15.rst
new file mode 100644
index 0000000..7642ab2
--- /dev/null
+++ b/doc/notes/notes-9.18.15.rst
@@ -0,0 +1,57 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.15
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- The :any:`max-transfer-time-in` and :any:`max-transfer-idle-in`
+ statements have not had any effect since the BIND 9 networking stack
+ was refactored in version 9.16. The missing functionality has been
+ re-implemented and incoming zone transfers now time out properly when
+ not progressing. :gl:`#4004`
+
+- The read timeout in :iscman:`rndc` is now 60 seconds, matching the
+ behavior in BIND 9.16 and earlier. It had previously been lowered to
+ 30 seconds by mistake. :gl:`#4046`
+
+- When the ``ISC_R_INVALIDPROTO`` (``ENOPROTOOPT``, ``EPROTONOSUPPORT``)
+ error code is returned by libuv, it is now treated as a network
+ failure: the server for which that error code is returned gets marked
+ as broken and is not contacted again during a given resolution
+ process. :gl:`#4005`
+
+- When removing delegations from an opt-out range, empty-non-terminal
+ NSEC3 records generated by those delegations were not cleaned up. This
+ has been fixed. :gl:`#4027`
+
+- Log file rotation code did not clean up older versions of log files
+ when the logging :any:`channel` had an absolute path configured as a
+ ``file`` destination. This has been fixed. :gl:`#3991`
+
+Known Issues
+~~~~~~~~~~~~
+
+- Sending NOTIFY messages silently fails when the source port specified
+ in the :any:`notify-source` statement is already in use. This can
+ happen e.g. when multiple servers are configured as NOTIFY targets for
+ a zone and some of them are unresponsive. This issue can be worked
+ around by not specifying the source port for NOTIFY messages in the
+ :any:`notify-source` statement; note that source port configuration is
+ already `deprecated`_ and will be removed altogether in a future
+ release. :gl:`#4002`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781
diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst
new file mode 100644
index 0000000..9ed090c
--- /dev/null
+++ b/doc/notes/notes-9.18.16.rst
@@ -0,0 +1,72 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.16
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The overmem cleaning process has been improved, to prevent the cache from
+ significantly exceeding the configured :any:`max-cache-size` limit.
+ (CVE-2023-2828)
+
+ ISC would like to thank Shoham Danino from Reichman University, Anat
+ Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
+ and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to
+ our attention. :gl:`#4055`
+
+- A query that prioritizes stale data over lookup triggers a fetch to refresh
+ the stale data in cache. If the fetch is aborted for exceeding the recursion
+ quota, it was possible for :iscman:`named` to enter an infinite callback
+ loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911)
+ :gl:`#4089`
+
+New Features
+~~~~~~~~~~~~
+
+- The system test suite can now be executed with pytest (along with
+ pytest-xdist for parallel execution). :gl:`#3978`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and
+ will be removed in a future release. A warning will be logged when
+ the :any:`tkey-dhkey` option is used in ``named.conf``. :gl:`#3905`
+
+Bug Fixes
+~~~~~~~~~
+
+- BIND could get stuck on reconfiguration when a :any:`listen-on`
+ statement for HTTP is removed from the configuration. That has been
+ fixed. :gl:`#4071`
+
+- Previously, it was possible for a delegation from cache to be returned
+ to the client after the :any:`stale-answer-client-timeout` duration.
+ This has been fixed. :gl:`#3950`
+
+- BIND could allocate too big buffers when sending data via
+ stream-based DNS transports, leading to increased memory usage.
+ This has been fixed. :gl:`#4038`
+
+- When the :any:`stale-answer-enable` option was enabled and the
+ :any:`stale-answer-client-timeout` option was enabled and larger than
+ 0, :iscman:`named` previously allocated two slots from the
+ :any:`clients-per-query` limit for each client and failed to gradually
+ auto-tune its value, as configured. This has been fixed. :gl:`#4074`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.17.rst b/doc/notes/notes-9.18.17.rst
new file mode 100644
index 0000000..87dbca3
--- /dev/null
+++ b/doc/notes/notes-9.18.17.rst
@@ -0,0 +1,42 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.17
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- If a response from an authoritative server has its RCODE set to
+ FORMERR and contains an echoed EDNS COOKIE option that was present in
+ the query, :iscman:`named` now retries sending the query to the
+ same server without an EDNS COOKIE option. :gl:`#4049`
+
+- The ``relaxed`` QNAME minimization mode now uses NS records. This
+ reduces the number of queries :iscman:`named` makes when resolving, as
+ it allows the non-existence of NS RRsets at non-referral nodes to be
+ cached in addition to the normally cached referrals. :gl:`#3325`
+
+Bug Fixes
+~~~~~~~~~
+
+- The ability to read HMAC-MD5 key files, which was accidentally lost in
+ BIND 9.18.8, has been restored. :gl:`#3668` :gl:`#4154`
+
+- Several minor stability issues with the catalog zone implementation
+ have been fixed. :gl:`#4132` :gl:`#4136` :gl:`#4171`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.18.rst b/doc/notes/notes-9.18.18.rst
new file mode 100644
index 0000000..1071967
--- /dev/null
+++ b/doc/notes/notes-9.18.18.rst
@@ -0,0 +1,47 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.18
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When a primary server for a zone responds to an SOA query, but the
+ subsequent TCP connection required to transfer the zone is refused,
+ that server is marked as temporarily unreachable. This now also
+ happens if the TCP connection attempt times out, preventing too many
+ zones from queuing up on an unreachable server and allowing the
+ refresh process to move on to the next configured primary more
+ quickly. :gl:`#4215`
+
+- The :any:`dialup` and :any:`heartbeat-interval` options have been
+ deprecated and will be removed in a future BIND 9 release. :gl:`#3700`
+
+Bug Fixes
+~~~~~~~~~
+
+- Processing already-queued queries received over TCP could cause an
+ assertion failure, when the server was reconfigured at the same time
+ or the cache was being flushed. This has been fixed. :gl:`#4200`
+
+- Setting :any:`dnssec-policy` to ``insecure`` prevented zones
+ containing resource records with a TTL value larger than 86400 seconds
+ (1 day) from being loaded. This has been fixed by ignoring the TTL
+ values in the zone and using a value of 604800 seconds (1 week) as the
+ maximum zone TTL in key rollover timing calculations. :gl:`#4032`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst
new file mode 100644
index 0000000..3d3c513
--- /dev/null
+++ b/doc/notes/notes-9.18.19.rst
@@ -0,0 +1,96 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.19
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, sending a specially crafted message over the control
+ channel could cause the packet-parsing code to run out of available
+ stack memory, causing :iscman:`named` to terminate unexpectedly.
+ This has been fixed. (CVE-2023-3341)
+
+ ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
+ bringing this vulnerability to our attention. :gl:`#4152`
+
+- A flaw in the networking code handling DNS-over-TLS queries could
+ cause :iscman:`named` to terminate unexpectedly due to an assertion
+ failure under significant DNS-over-TLS query load. This has been
+ fixed. (CVE-2023-4236)
+
+ ISC would like to thank Robert Story from USC/ISI Root Server
+ Operations for bringing this vulnerability to our attention.
+ :gl:`#4242`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The :any:`dnssec-must-be-secure` option has been deprecated and will
+ be removed in a future release. :gl:`#4263`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- If the ``server`` command is specified, :iscman:`nsupdate` now honors
+ the :option:`nsupdate -v` option for SOA queries by sending both the
+ UPDATE request and the initial query over TCP. :gl:`#1181`
+
+Bug Fixes
+~~~~~~~~~
+
+- The value of the If-Modified-Since header in the statistics channel
+ was not being correctly validated for its length, potentially allowing
+ an authorized user to trigger a buffer overflow. Ensuring the
+ statistics channel is configured correctly to grant access exclusively
+ to authorized users is essential (see the :any:`statistics-channels`
+ block definition and usage section). :gl:`#4124`
+
+ This issue was reported independently by Eric Sesterhenn of X41 D-Sec
+ GmbH and Cameron Whitehead.
+
+- The Content-Length header in the statistics channel was lacking proper
+ bounds checking. A negative or excessively large value could
+ potentially trigger an integer overflow and result in an assertion
+ failure. :gl:`#4125`
+
+ This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
+
+- Several memory leaks caused by not clearing the OpenSSL error stack
+ were fixed. :gl:`#4159`
+
+ This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
+
+- The introduction of ``krb5-subdomain-self-rhs`` and
+ ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
+ :iscman:`named` to return SERVFAIL responses to deletion requests for
+ non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
+
+- The :any:`stale-refresh-time` feature was mistakenly disabled when the
+ server cache was flushed by :option:`rndc flush`. This has been fixed.
+ :gl:`#4278`
+
+- BIND's memory consumption has been improved by implementing dedicated
+ jemalloc memory arenas for sending buffers. This optimization ensures
+ that memory usage is more efficient and better manages the return of
+ memory pages to the operating system. :gl:`#4038`
+
+- Previously, partial writes in the TLS DNS code were not accounted for
+ correctly, which could have led to DNS message corruption. This has
+ been fixed. :gl:`#4255`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.2.rst b/doc/notes/notes-9.18.2.rst
new file mode 100644
index 0000000..0111083
--- /dev/null
+++ b/doc/notes/notes-9.18.2.rst
@@ -0,0 +1,53 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.2
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new configuration option :any:`reuseport` to disable load balancing
+ on sockets in situations where processing of Response Policy Zones
+ (RPZ), Catalog Zones, or large zone transfers can cause service
+ disruptions. See the BIND 9 ARM for more detail. :gl:`#3249`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, zone maintenance DNS queries retried forever if the
+ destination server was unreachable. These queries included outgoing
+ NOTIFY messages, refresh SOA queries, parental DS checks, and stub
+ zone NS queries. For example, if a zone had any nameservers with IPv6
+ addresses and a secondary server without IPv6 connectivity, that
+ server would keep trying to send a growing amount of NOTIFY traffic
+ over IPv6. This futile traffic was not logged. This excessive retry
+ behavior has been fixed. :gl:`#3242`
+
+- A number of crashes and hangs which could be triggered in
+ :iscman:`dig` were identified and addressed. :gl:`#3020` :gl:`#3128`
+ :gl:`#3145` :gl:`#3184` :gl:`#3205` :gl:`#3244` :gl:`#3248`
+
+- Invalid :any:`dnssec-policy` definitions, where the defined keys did not
+ cover both KSK and ZSK roles for a given algorithm, were being
+ accepted. These are now checked, and the :any:`dnssec-policy` is rejected
+ if both roles are not present for all algorithms in use. :gl:`#3142`
+
+- Handling of TCP write timeouts has been improved to track the timeout
+ for each TCP write separately, leading to a faster connection teardown
+ in case the other party is not reading the data. :gl:`#3200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst
new file mode 100644
index 0000000..09952c9
--- /dev/null
+++ b/doc/notes/notes-9.18.3.rst
@@ -0,0 +1,73 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.3
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, TLS socket objects could be destroyed prematurely, which
+ triggered assertion failures in :iscman:`named` instances serving
+ DNS-over-HTTPS (DoH) clients. This has been fixed.
+
+ ISC would like to thank Thomas Amgarten from arcade solutions ag for
+ bringing this vulnerability to our attention. (CVE-2022-1183)
+ :gl:`#3216`
+
+Known Issues
+~~~~~~~~~~~~
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+ be inspected when verifying a remote certificate while establishing a
+ DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+ instead. Unfortunately, some quite old versions of cryptographic
+ libraries might lack the ability to ignore the ``Subject`` field. This
+ should have minimal production-use consequences, as most of the
+ production-ready certificates issued by certificate authorities will
+ have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+ ignored. Only old platforms are affected by this, e.g. those supplied
+ with OpenSSL versions older than 1.1.1. :gl:`#3163`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- Catalog Zones schema version 2, as described in the
+ "DNS Catalog Zones" IETF draft version 5 document, is now supported by
+ :iscman:`named`. All of the previously supported BIND-specific catalog
+ zone custom properties (:any:`primaries`, :any:`allow-query`, and
+ :any:`allow-transfer`), as well as the new Change of Ownership (``coo``)
+ property, are now implemented. Schema version 1 is still supported,
+ with some additional validation rules applied from schema version 2:
+ for example, the :any:`version` property is mandatory, and a member zone
+ PTR RRset must not contain more than one record. In the event of a
+ validation error, a corresponding error message is logged to help with
+ diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
+ :gl:`#3224` :gl:`#3225`
+
+- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
+ ``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
+ :gl:`#2267`
+
+- Add support for remote TLS certificate verification, both to
+ :iscman:`named` and :iscman:`dig`, making it possible to implement
+ Strict and Mutual TLS authentication, as described in :rfc:`9103`,
+ Section 9.3. :gl:`#3163`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, CDS and CDNSKEY DELETE records were removed from the zone
+ when configured with the ``auto-dnssec maintain;`` option. This has
+ been fixed. :gl:`#2931`
diff --git a/doc/notes/notes-9.18.4.rst b/doc/notes/notes-9.18.4.rst
new file mode 100644
index 0000000..1579bc4
--- /dev/null
+++ b/doc/notes/notes-9.18.4.rst
@@ -0,0 +1,44 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.4
+---------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- New :any:`dnssec-policy` configuration checks have been added to detect
+ unusual policies, such as missing KSK and/or ZSK and too-short key
+ lifetimes and re-sign periods. :gl:`#1611`
+
+Bug Fixes
+~~~~~~~~~
+
+- The :any:`fetches-per-server` quota is designed to adjust itself downward
+ automatically when an authoritative server times out too frequently.
+ Due to a coding error, that adjustment was applied incorrectly, so
+ that the quota for a congested server was always set to 1. This has
+ been fixed. :gl:`#3327`
+
+- DNSSEC-signed catalog zones were not being processed correctly. This
+ has been fixed. :gl:`#3380`
+
+- Key files were updated every time the :any:`dnssec-policy` key manager
+ ran, whether the metadata had changed or not. :iscman:`named` now
+ checks whether changes were applied before writing out the key files.
+ :gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.5.rst b/doc/notes/notes-9.18.5.rst
new file mode 100644
index 0000000..546b1b3
--- /dev/null
+++ b/doc/notes/notes-9.18.5.rst
@@ -0,0 +1,59 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.5
+---------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The :option:`dnssec-signzone -H` default value has been changed to 0
+ additional NSEC3 iterations. This change aligns the
+ :iscman:`dnssec-signzone` default with the default used by the
+ :any:`dnssec-policy` feature. At the same
+ time, documentation about NSEC3 has been aligned with the `Best
+ Current Practice`_. :gl:`#3395`
+
+.. _Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10
+
+Bug Fixes
+~~~~~~~~~
+
+- An assertion failure caused by a TCP connection closing between a
+ connect (or accept) and a read from a socket has been fixed.
+ :gl:`#3400`
+
+- When grafting non-delegated namespace onto delegated namespace,
+ :any:`synth-from-dnssec` could incorrectly synthesize non-existence of
+ records within the non-delegated namespace using NSEC records from
+ higher zones. :gl:`#3402`
+
+- Previously, :iscman:`named` immediately returned a SERVFAIL response
+ to the client when it received a FORMERR response from an
+ authoritative server during recursive resolution. This has been fixed:
+ :iscman:`named` acting as a resolver now attempts to contact other
+ authoritative servers for a given domain when it receives a FORMERR
+ response from one of them. :gl:`#3152`
+
+- Previously, :option:`rndc reconfig` did not pick up changes to
+ :any:`endpoints` statements in :any:`http` blocks. This has been
+ fixed. :gl:`#3415`
+
+- It was possible for a catalog zone consumer to process a catalog zone
+ member zone when there was a configured pre-existing forward-only
+ forward zone with the same name. This has been fixed. :gl:`#2506`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.6.rst b/doc/notes/notes-9.18.6.rst
new file mode 100644
index 0000000..3ed788f
--- /dev/null
+++ b/doc/notes/notes-9.18.6.rst
@@ -0,0 +1,62 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.6
+---------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
+ disabled on systems where they are disallowed by the security policy
+ (e.g. Red Hat Enterprise Linux 9). Primary zones using those
+ algorithms need to be migrated to new algorithms prior to running on
+ these systems, as graceful migration to different DNSSEC algorithms is
+ not possible when RSASHA1 is disallowed by the operating system.
+ :gl:`#3469`
+
+- Log messages related to fetch limiting have been improved to provide
+ more complete information. Specifically, the final counts of allowed
+ and spilled fetches are now logged before the counter object is
+ destroyed. :gl:`#3461`
+
+Bug Fixes
+~~~~~~~~~
+
+- When running as a validating resolver forwarding all queries to
+ another resolver, :iscman:`named` could crash with an assertion
+ failure. These crashes occurred when the configured forwarder sent a
+ broken DS response and :iscman:`named` failed its attempts to find a
+ proper one instead. This has been fixed. :gl:`#3439`
+
+- Non-dynamic zones that inherit :any:`dnssec-policy` from the
+ :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
+ marked as inline-signed and therefore never scheduled to be re-signed.
+ This has been fixed. :gl:`#3438`
+
+- The old :any:`max-zone-ttl` zone option was meant to be superseded by
+ the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the
+ latter option was not fully effective. This has been corrected: zones
+ no longer load if they contain TTLs greater than the limit configured
+ in :any:`dnssec-policy`. For zones with both the old
+ :any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the
+ old option is ignored, and a warning is generated. :gl:`#2918`
+
+- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
+ expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
+ the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst
new file mode 100644
index 0000000..dade98e
--- /dev/null
+++ b/doc/notes/notes-9.18.7.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.7
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, there was no limit to the number of database lookups
+ performed while processing large delegations, which could be abused to
+ severely impact the performance of :iscman:`named` running as a
+ recursive resolver. This has been fixed. (CVE-2022-2795)
+
+ ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
+ Bremler-Barr & Shani Stajnrod from Reichman University for bringing
+ this vulnerability to our attention. :gl:`#3394`
+
+- When an HTTP connection was reused to request statistics from the
+ stats channel, the content length of successive responses could grow
+ in size past the end of the allocated buffer. This has been fixed.
+ (CVE-2022-2881) :gl:`#3493`
+
+- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
+ could be externally triggered, when using TKEY records in DH mode with
+ OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491`
+
+- :iscman:`named` running as a resolver with the
+ :any:`stale-answer-client-timeout` option set to ``0`` could crash
+ with an assertion failure, when there was a stale CNAME in the cache
+ for the incoming query. This has been fixed. (CVE-2022-3080)
+ :gl:`#3517`
+
+- Memory leaks were fixed that could be externally triggered in the
+ DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+ :gl:`#3487`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Response Rate Limiting (RRL) code now treats all QNAMEs that are
+ subject to wildcard processing within a given zone as the same name,
+ to prevent circumventing the limits enforced by RRL. :gl:`#3459`
+
+- Zones using :any:`dnssec-policy` now require dynamic DNS or
+ :any:`inline-signing` to be configured explicitly. :gl:`#3381`
+
+- When reconfiguring :any:`dnssec-policy` from using NSEC with an
+ NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
+ BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC
+ until the offending DNSKEY records have been removed from the zone,
+ then switches to using NSEC3. :gl:`#3486`
+
+- A backward-compatible approach was implemented for encoding
+ internationalized domain names (IDN) in :iscman:`dig` and converting
+ the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
+ conversion. :gl:`#3485`
+
+Bug Fixes
+~~~~~~~~~
+
+- A serve-stale bug was fixed, where BIND would try to return stale data
+ from cache for lookups that received duplicate queries or queries that
+ would be dropped. This bug resulted in premature SERVFAIL responses,
+ and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.18.8.rst b/doc/notes/notes-9.18.8.rst
new file mode 100644
index 0000000..457f470
--- /dev/null
+++ b/doc/notes/notes-9.18.8.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.8
+---------------------
+
+Known Issues
+~~~~~~~~~~~~
+
+- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
+ a manual configuration change. The following configurations are
+ affected:
+
+ - :any:`type primary` zones configured with :any:`dnssec-policy` but
+ without either :any:`allow-update` or :any:`update-policy`,
+ - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+ In these cases please add :namedconf:ref:`inline-signing yes;
+ <inline-signing>` to the individual zone configuration(s). Without
+ applying this change, :iscman:`named` will fail to start. For more
+ details, see
+ https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND 9.18 does not support dynamic update forwarding (see
+ :any:`allow-update-forwarding`) in conjuction with zone transfers over
+ TLS (XoT). :gl:`#3512`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+ issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- Support for parsing and validating the ``dohpath`` service parameter
+ in SVCB records was added. :gl:`#3544`
+
+- :iscman:`named` now logs the supported cryptographic algorithms during
+ startup and in the output of :option:`named -V`. :gl:`#3541`
+
+- The ``recursion not available`` and ``query (cache) '...' denied`` log
+ messages were extended to include the name of the ACL that caused a
+ given query to be denied. :gl:`#3587`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ability to use PKCS#11 via engine_pkcs11 has been restored, by
+ using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be
+ compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS
+ environment variable at compile time. :gl:`#3578`
+
+Bug Fixes
+~~~~~~~~~
+
+- An assertion failure was fixed in :iscman:`named` that was caused by
+ aborting the statistics channel connection while sending statistics
+ data to the client. :gl:`#3542`
+
+- Changing just the TSIG key names for primaries in catalog zones'
+ member zones was not effective. This has been fixed. :gl:`#3557`
diff --git a/doc/notes/notes-9.18.9.rst b/doc/notes/notes-9.18.9.rst
new file mode 100644
index 0000000..828f459
--- /dev/null
+++ b/doc/notes/notes-9.18.9.rst
@@ -0,0 +1,61 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.9
+---------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A crash was fixed that happened when a :any:`dnssec-policy` zone that
+ used NSEC3 was reconfigured to enable :any:`inline-signing`.
+ :gl:`#3591`
+
+- In certain resolution scenarios, quotas could be erroneously reached
+ for servers, including any configured forwarders, resulting in
+ SERVFAIL answers being sent to clients. This has been fixed.
+ :gl:`#3598`
+
+- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective
+ in some cases if a query had the CD (Checking Disabled) bit set to 1.
+ This has been fixed. :gl:`#3247`
+
+- Previously, if Internet connectivity issues were experienced during
+ the initial startup of :iscman:`named`, a BIND resolver with
+ :any:`dnssec-validation` set to ``auto`` could enter into a state
+ where it would not recover without stopping :iscman:`named`, manually
+ deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl``
+ files, and starting :iscman:`named` again. This has been fixed.
+ :gl:`#2895`
+
+- The statistics counter representing the current number of clients
+ awaiting recursive resolution results (``RecursClients``) could
+ overflow in certain resolution scenarios. This has been fixed.
+ :gl:`#3584`
+
+- Previously, the port in remote servers such as in :any:`primaries` and
+ :any:`parental-agents` could be wrongly configured because of an
+ inheritance bug. This has been fixed. :gl:`#3627`
+
+- Previously, BIND failed to start on Solaris-based systems with
+ hundreds of CPUs. This has been fixed. :gl:`#3563`
+
+- When a DNS resource record's TTL value was equal to the resolver's
+ configured :any:`prefetch` "eligibility" value, the record was
+ erroneously not treated as eligible for prefetching. This has been
+ fixed. :gl:`#3603`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst
new file mode 100644
index 0000000..ee0d0f0
--- /dev/null
+++ b/doc/notes/notes-known-issues.rst
@@ -0,0 +1,62 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
+ a manual configuration change. The following configurations are
+ affected:
+
+ - :any:`type primary` zones configured with :any:`dnssec-policy` but
+ without either :any:`allow-update` or :any:`update-policy`,
+ - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+ In these cases please add :namedconf:ref:`inline-signing yes;
+ <inline-signing>` to the individual zone configuration(s). Without
+ applying this change, :iscman:`named` will fail to start. For more
+ details, see
+ https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND 9.18 does not support dynamic update forwarding (see
+ :any:`allow-update-forwarding`) in conjuction with zone transfers over
+ TLS (XoT). :gl:`#3512`
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+ be inspected when verifying a remote certificate while establishing a
+ DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+ instead. Unfortunately, some quite old versions of cryptographic
+ libraries might lack the ability to ignore the ``Subject`` field. This
+ should have minimal production-use consequences, as most of the
+ production-ready certificates issued by certificate authorities will
+ have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+ ignored. Only old platforms are affected by this, e.g. those supplied
+ with OpenSSL versions older than 1.1.1. :gl:`#3163`
+
+- ``rndc`` has been updated to use the new BIND network manager API. As
+ the network manager currently has no support for UNIX-domain sockets,
+ those cannot now be used with ``rndc``. This will be addressed in a
+ future release, either by restoring UNIX-domain socket support or by
+ formally declaring them to be obsolete in the control channel.
+ :gl:`#1759`
+
+- Sending NOTIFY messages silently fails when the source port specified
+ in the :any:`notify-source` statement is already in use. This can
+ happen e.g. when multiple servers are configured as NOTIFY targets for
+ a zone and some of them are unresponsive. This issue can be worked
+ around by not specifying the source port for NOTIFY messages in the
+ :any:`notify-source` statement; note that source port configuration is
+ already `deprecated`_ and will be removed altogether in a future
+ release. :gl:`#4002`
+
+.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781