1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.3
13---------------------
14
15Security Fixes
16~~~~~~~~~~~~~~
17
18- Previously, TLS socket objects could be destroyed prematurely, which
19  triggered assertion failures in :iscman:`named` instances serving
20  DNS-over-HTTPS (DoH) clients. This has been fixed.
21
22  ISC would like to thank Thomas Amgarten from arcade solutions ag for
23  bringing this vulnerability to our attention. :cve:`2022-1183`
24  :gl:`#3216`
25
26Known Issues
27~~~~~~~~~~~~
28
29- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
30  be inspected when verifying a remote certificate while establishing a
31  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
32  instead. Unfortunately, some quite old versions of cryptographic
33  libraries might lack the ability to ignore the ``Subject`` field. This
34  should have minimal production-use consequences, as most of the
35  production-ready certificates issued by certificate authorities will
36  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
37  ignored. Only old platforms are affected by this, e.g. those supplied
38  with OpenSSL versions older than 1.1.1. :gl:`#3163`
39
40- See :ref:`above <relnotes_known_issues>` for a list of all known
41  issues affecting this BIND 9 branch.
42
43New Features
44~~~~~~~~~~~~
45
46- Catalog Zones schema version 2, as described in the
47  "DNS Catalog Zones" IETF draft version 5 document, is now supported by
48  :iscman:`named`. All of the previously supported BIND-specific catalog
49  zone custom properties (:any:`primaries`, :any:`allow-query`, and
50  :any:`allow-transfer`), as well as the new Change of Ownership (``coo``)
51  property, are now implemented. Schema version 1 is still supported,
52  with some additional validation rules applied from schema version 2:
53  for example, the :any:`version` property is mandatory, and a member zone
54  PTR RRset must not contain more than one record. In the event of a
55  validation error, a corresponding error message is logged to help with
56  diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
57  :gl:`#3224` :gl:`#3225`
58
59- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
60  ``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
61  :gl:`#2267`
62
63- Add support for remote TLS certificate verification, both to
64  :iscman:`named` and :iscman:`dig`, making it possible to implement
65  Strict and Mutual TLS authentication, as described in :rfc:`9103`,
66  Section 9.3. :gl:`#3163`
67
68Bug Fixes
69~~~~~~~~~
70
71- Previously, CDS and CDNSKEY DELETE records were removed from the zone
72  when configured with the ``auto-dnssec maintain;`` option. This has
73  been fixed. :gl:`#2931`
74