1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. _relnotes_known_issues:
Known Issues
------------
- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
a manual configuration change. The following configurations are
affected:
- :any:`type primary` zones configured with :any:`dnssec-policy` but
without either :any:`allow-update` or :any:`update-policy`,
- :any:`type secondary` zones configured with :any:`dnssec-policy`.
In these cases please add :namedconf:ref:`inline-signing yes;
<inline-signing>` to the individual zone configuration(s). Without
applying this change, :iscman:`named` will fail to start. For more
details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
- BIND 9.18 does not support dynamic update forwarding (see
:any:`allow-update-forwarding`) in conjuction with zone transfers over
TLS (XoT). :gl:`#3512`
- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
be inspected when verifying a remote certificate while establishing a
DNS-over-TLS connection. Only ``subjectAltName`` must be checked
instead. Unfortunately, some quite old versions of cryptographic
libraries might lack the ability to ignore the ``Subject`` field. This
should have minimal production-use consequences, as most of the
production-ready certificates issued by certificate authorities will
have ``subjectAltName`` set. In such cases, the ``Subject`` field is
ignored. Only old platforms are affected by this, e.g. those supplied
with OpenSSL versions older than 1.1.1. :gl:`#3163`
- ``rndc`` has been updated to use the new BIND network manager API. As
the network manager currently has no support for UNIX-domain sockets,
those cannot now be used with ``rndc``. This will be addressed in a
future release, either by restoring UNIX-domain socket support or by
formally declaring them to be obsolete in the control channel.
:gl:`#1759`
- Sending NOTIFY messages silently fails when the source port specified
in the :any:`notify-source` statement is already in use. This can
happen e.g. when multiple servers are configured as NOTIFY targets for
a zone and some of them are unresponsive. This issue can be worked
around by not specifying the source port for NOTIFY messages in the
:any:`notify-source` statement; note that source port configuration is
already `deprecated`_ and will be removed altogether in a future
release. :gl:`#4002`
.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781
|
