1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. _relnotes_known_issues: 13 14Known Issues 15------------ 16 17- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require 18 a manual configuration change. The following configurations are 19 affected: 20 21 - :any:`type primary` zones configured with :any:`dnssec-policy` but 22 without either :any:`allow-update` or :any:`update-policy`, 23 - :any:`type secondary` zones configured with :any:`dnssec-policy`. 24 25 In these cases please add :namedconf:ref:`inline-signing yes; 26 <inline-signing>` to the individual zone configuration(s). Without 27 applying this change, :iscman:`named` will fail to start. For more 28 details, see 29 https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing 30 31- BIND 9.18 does not support dynamic update forwarding (see 32 :any:`allow-update-forwarding`) in conjuction with zone transfers over 33 TLS (XoT). :gl:`#3512` 34 35- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT 36 be inspected when verifying a remote certificate while establishing a 37 DNS-over-TLS connection. Only ``subjectAltName`` must be checked 38 instead. Unfortunately, some quite old versions of cryptographic 39 libraries might lack the ability to ignore the ``Subject`` field. This 40 should have minimal production-use consequences, as most of the 41 production-ready certificates issued by certificate authorities will 42 have ``subjectAltName`` set. In such cases, the ``Subject`` field is 43 ignored. Only old platforms are affected by this, e.g. those supplied 44 with OpenSSL versions older than 1.1.1. :gl:`#3163` 45 46- ``rndc`` has been updated to use the new BIND network manager API. As 47 the network manager currently has no support for UNIX-domain sockets, 48 those cannot now be used with ``rndc``. This will be addressed in a 49 future release, either by restoring UNIX-domain socket support or by 50 formally declaring them to be obsolete in the control channel. 51 :gl:`#1759` 52 53- Sending NOTIFY messages silently fails when the source port specified 54 in the :any:`notify-source` statement is already in use. This can 55 happen e.g. when multiple servers are configured as NOTIFY targets for 56 a zone and some of them are unresponsive. This issue can be worked 57 around by not specifying the source port for NOTIFY messages in the 58 :any:`notify-source` statement; note that source port configuration is 59 already `deprecated`_ and will be removed altogether in a future 60 release. :gl:`#4002` 61 62.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781 63