1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.8 13--------------------- 14 15Known Issues 16~~~~~~~~~~~~ 17 18- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require 19 a manual configuration change. The following configurations are 20 affected: 21 22 - :any:`type primary` zones configured with :any:`dnssec-policy` but 23 without either :any:`allow-update` or :any:`update-policy`, 24 - :any:`type secondary` zones configured with :any:`dnssec-policy`. 25 26 In these cases please add :namedconf:ref:`inline-signing yes; 27 <inline-signing>` to the individual zone configuration(s). Without 28 applying this change, :iscman:`named` will fail to start. For more 29 details, see 30 https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing 31 32- BIND 9.18 does not support dynamic update forwarding (see 33 :any:`allow-update-forwarding`) in conjuction with zone transfers over 34 TLS (XoT). :gl:`#3512` 35 36- See :ref:`above <relnotes_known_issues>` for a list of all known 37 issues affecting this BIND 9 branch. 38 39New Features 40~~~~~~~~~~~~ 41 42- Support for parsing and validating the ``dohpath`` service parameter 43 in SVCB records was added. :gl:`#3544` 44 45- :iscman:`named` now logs the supported cryptographic algorithms during 46 startup and in the output of :option:`named -V`. :gl:`#3541` 47 48- The ``recursion not available`` and ``query (cache) '...' denied`` log 49 messages were extended to include the name of the ACL that caused a 50 given query to be denied. :gl:`#3587` 51 52Feature Changes 53~~~~~~~~~~~~~~~ 54 55- The ability to use PKCS#11 via engine_pkcs11 has been restored, by 56 using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be 57 compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS 58 environment variable at compile time. :gl:`#3578` 59 60Bug Fixes 61~~~~~~~~~ 62 63- An assertion failure was fixed in :iscman:`named` that was caused by 64 aborting the statistics channel connection while sending statistics 65 data to the client. :gl:`#3542` 66 67- Changing just the TSIG key names for primaries in catalog zones' 68 member zones was not effective. This has been fixed. :gl:`#3557` 69