1272953Srodrigc.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2264790Sbapt..
3264790Sbapt.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.6
13---------------------
14
15Feature Changes
16~~~~~~~~~~~~~~~
17
18- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
19  disabled on systems where they are disallowed by the security policy
20  (e.g. Red Hat Enterprise Linux 9). Primary zones using those
21  algorithms need to be migrated to new algorithms prior to running on
22  these systems, as graceful migration to different DNSSEC algorithms is
23  not possible when RSASHA1 is disallowed by the operating system.
24  :gl:`#3469`
25
26- Log messages related to fetch limiting have been improved to provide
27  more complete information. Specifically, the final counts of allowed
28  and spilled fetches are now logged before the counter object is
29  destroyed. :gl:`#3461`
30
31Bug Fixes
32~~~~~~~~~
33
34- When running as a validating resolver forwarding all queries to
35  another resolver, :iscman:`named` could crash with an assertion
36  failure. These crashes occurred when the configured forwarder sent a
37  broken DS response and :iscman:`named` failed its attempts to find a
38  proper one instead. This has been fixed. :gl:`#3439`
39
40- Non-dynamic zones that inherit :any:`dnssec-policy` from the
41  :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
42  marked as inline-signed and therefore never scheduled to be re-signed.
43  This has been fixed. :gl:`#3438`
44
45- The old :any:`max-zone-ttl` zone option was meant to be superseded by
46  the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the
47  latter option was not fully effective. This has been corrected: zones
48  no longer load if they contain TTLs greater than the limit configured
49  in :any:`dnssec-policy`. For zones with both the old
50  :any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the
51  old option is ignored, and a warning is generated. :gl:`#2918`
52
53- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
54  expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
55  the cache-cleaning time window has passed. :gl:`#3462`
56
57Known Issues
58~~~~~~~~~~~~
59
60- There are no new known issues with this release. See :ref:`above
61  <relnotes_known_issues>` for a list of all known issues affecting this
62  BIND 9 branch.
63