1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.6 13--------------------- 14 15Feature Changes 16~~~~~~~~~~~~~~~ 17 18- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically 19 disabled on systems where they are disallowed by the security policy 20 (e.g. Red Hat Enterprise Linux 9). Primary zones using those 21 algorithms need to be migrated to new algorithms prior to running on 22 these systems, as graceful migration to different DNSSEC algorithms is 23 not possible when RSASHA1 is disallowed by the operating system. 24 :gl:`#3469` 25 26- Log messages related to fetch limiting have been improved to provide 27 more complete information. Specifically, the final counts of allowed 28 and spilled fetches are now logged before the counter object is 29 destroyed. :gl:`#3461` 30 31Bug Fixes 32~~~~~~~~~ 33 34- When running as a validating resolver forwarding all queries to 35 another resolver, :iscman:`named` could crash with an assertion 36 failure. These crashes occurred when the configured forwarder sent a 37 broken DS response and :iscman:`named` failed its attempts to find a 38 proper one instead. This has been fixed. :gl:`#3439` 39 40- Non-dynamic zones that inherit :any:`dnssec-policy` from the 41 :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not 42 marked as inline-signed and therefore never scheduled to be re-signed. 43 This has been fixed. :gl:`#3438` 44 45- The old :any:`max-zone-ttl` zone option was meant to be superseded by 46 the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the 47 latter option was not fully effective. This has been corrected: zones 48 no longer load if they contain TTLs greater than the limit configured 49 in :any:`dnssec-policy`. For zones with both the old 50 :any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the 51 old option is ignored, and a warning is generated. :gl:`#2918` 52 53- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include 54 expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and 55 the cache-cleaning time window has passed. :gl:`#3462` 56 57Known Issues 58~~~~~~~~~~~~ 59 60- There are no new known issues with this release. See :ref:`above 61 <relnotes_known_issues>` for a list of all known issues affecting this 62 BIND 9 branch. 63