1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.3 13--------------------- 14 15Security Fixes 16~~~~~~~~~~~~~~ 17 18- Previously, TLS socket objects could be destroyed prematurely, which 19 triggered assertion failures in :iscman:`named` instances serving 20 DNS-over-HTTPS (DoH) clients. This has been fixed. 21 22 ISC would like to thank Thomas Amgarten from arcade solutions ag for 23 bringing this vulnerability to our attention. :cve:`2022-1183` 24 :gl:`#3216` 25 26Known Issues 27~~~~~~~~~~~~ 28 29- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT 30 be inspected when verifying a remote certificate while establishing a 31 DNS-over-TLS connection. Only ``subjectAltName`` must be checked 32 instead. Unfortunately, some quite old versions of cryptographic 33 libraries might lack the ability to ignore the ``Subject`` field. This 34 should have minimal production-use consequences, as most of the 35 production-ready certificates issued by certificate authorities will 36 have ``subjectAltName`` set. In such cases, the ``Subject`` field is 37 ignored. Only old platforms are affected by this, e.g. those supplied 38 with OpenSSL versions older than 1.1.1. :gl:`#3163` 39 40- See :ref:`above <relnotes_known_issues>` for a list of all known 41 issues affecting this BIND 9 branch. 42 43New Features 44~~~~~~~~~~~~ 45 46- Catalog Zones schema version 2, as described in the 47 "DNS Catalog Zones" IETF draft version 5 document, is now supported by 48 :iscman:`named`. All of the previously supported BIND-specific catalog 49 zone custom properties (:any:`primaries`, :any:`allow-query`, and 50 :any:`allow-transfer`), as well as the new Change of Ownership (``coo``) 51 property, are now implemented. Schema version 1 is still supported, 52 with some additional validation rules applied from schema version 2: 53 for example, the :any:`version` property is mandatory, and a member zone 54 PTR RRset must not contain more than one record. In the event of a 55 validation error, a corresponding error message is logged to help with 56 diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223` 57 :gl:`#3224` :gl:`#3225` 58 59- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and 60 ``Stale NXDOMAIN Answer`` when stale answers are returned from cache. 61 :gl:`#2267` 62 63- Add support for remote TLS certificate verification, both to 64 :iscman:`named` and :iscman:`dig`, making it possible to implement 65 Strict and Mutual TLS authentication, as described in :rfc:`9103`, 66 Section 9.3. :gl:`#3163` 67 68Bug Fixes 69~~~~~~~~~ 70 71- Previously, CDS and CDNSKEY DELETE records were removed from the zone 72 when configured with the ``auto-dnssec maintain;`` option. This has 73 been fixed. :gl:`#2931` 74