1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.8
13---------------------
14
15Known Issues
16~~~~~~~~~~~~
17
18- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
19  a manual configuration change. The following configurations are
20  affected:
21
22  - :any:`type primary` zones configured with :any:`dnssec-policy` but
23    without either :any:`allow-update` or :any:`update-policy`,
24  - :any:`type secondary` zones configured with :any:`dnssec-policy`.
25
26  In these cases please add :namedconf:ref:`inline-signing yes;
27  <inline-signing>` to the individual zone configuration(s). Without
28  applying this change, :iscman:`named` will fail to start. For more
29  details, see
30  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
31
32- BIND 9.18 does not support dynamic update forwarding (see
33  :any:`allow-update-forwarding`) in conjuction with zone transfers over
34  TLS (XoT). :gl:`#3512`
35
36- See :ref:`above <relnotes_known_issues>` for a list of all known
37  issues affecting this BIND 9 branch.
38
39New Features
40~~~~~~~~~~~~
41
42- Support for parsing and validating the ``dohpath`` service parameter
43  in SVCB records was added. :gl:`#3544`
44
45- :iscman:`named` now logs the supported cryptographic algorithms during
46  startup and in the output of :option:`named -V`. :gl:`#3541`
47
48- The ``recursion not available`` and ``query (cache) '...' denied`` log
49  messages were extended to include the name of the ACL that caused a
50  given query to be denied. :gl:`#3587`
51
52Feature Changes
53~~~~~~~~~~~~~~~
54
55- The ability to use PKCS#11 via engine_pkcs11 has been restored, by
56  using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be
57  compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS
58  environment variable at compile time. :gl:`#3578`
59
60Bug Fixes
61~~~~~~~~~
62
63- An assertion failure was fixed in :iscman:`named` that was caused by
64  aborting the statistics channel connection while sending statistics
65  data to the client. :gl:`#3542`
66
67- Changing just the TSIG key names for primaries in catalog zones'
68  member zones was not effective. This has been fixed. :gl:`#3557`
69