bind/doc/notes/notes-current.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.18.3
---------------------

Security Fixes
~~~~~~~~~~~~~~

- None.

Known Issues
~~~~~~~~~~~~

- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
  inspected when verifying a remote certificate while establishing a
  DNS-over-TLS connection. Only SubjectAltName must be checked
  instead. Unfortunately, some quite old versions of cryptographic
  libraries might lack the functionality to ignore the Subject
  field. It should have minimal production use consequences, as most
  of the production-ready certificates issued by certificate
  authorities will have SubjectAltNames set. In such a case, the
  Subject field is ignored. Only old platforms are affected by this,
  e.g., those supplied with OpenSSL versions older than 1.1.1.

New Features
~~~~~~~~~~~~

- Add DNS Extended Errors (:rfc:`8914`) when stale answers are returned from
  cache. :gl:`#2267`

- Add support for remote TLS certificates verification, both to BIND
  and ``dig``, making it possible to implement Strict and Mutual TLS
  authentication, as described in RFC 9103, Section 9.3. :gl:`#3163`

Removed Features
~~~~~~~~~~~~~~~~

- None.

Feature Changes
~~~~~~~~~~~~~~~

- None.

Bug Fixes
~~~~~~~~~

- CDS and CDNSKEY DELETE records are removed from the zone when configured with
  'auto-dnssec maintain;'. This has been fixed. :gl:`#2931`.
Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00			`.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`..`
			`.. SPDX-License-Identifier: MPL-2.0`
			`..`
			`.. This Source Code Form is subject to the terms of the Mozilla Public`
			`.. License, v. 2.0. If a copy of the MPL was not distributed with this`
			`.. file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`..`
			`.. See the COPYRIGHT file distributed with this work for additional`
			`.. information regarding copyright ownership.`

Set up release notes for BIND 9.18.3 2022-04-12 14:13:32 +02:00			`Notes for BIND 9.18.3`
Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00			`---------------------`

			`Security Fixes`
			`~~~~~~~~~~~~~~`

			`- None.`

			`Known Issues`
			`~~~~~~~~~~~~`

Update the "Known Issues" Mention that some old cryptographic library versions lack the functionality to implement ignoring the Subject field (and thus the Common Name) when establishing DoT connections. 2022-02-21 10:25:41 +02:00			`- According to RFC 8310, Section 8.1, the Subject field MUST NOT be`
			`inspected when verifying a remote certificate while establishing a`
			`DNS-over-TLS connection. Only SubjectAltName must be checked`
			`instead. Unfortunately, some quite old versions of cryptographic`
			`libraries might lack the functionality to ignore the Subject`
			`field. It should have minimal production use consequences, as most`
			`of the production-ready certificates issued by certificate`
			`authorities will have SubjectAltNames set. In such a case, the`
			`Subject field is ignored. Only old platforms are affected by this,`
			`e.g., those supplied with OpenSSL versions older than 1.1.1.`
Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00
			`New Features`
			`~~~~~~~~~~~~`

Add CHANGES and release notes for #2267 (cherry picked from commit a320f4ed044a1d44efe139a5cfa3f1fab8c8252b) 2022-04-21 10:45:01 +02:00			- Add DNS Extended Errors (:rfc:`8914`) when stale answers are returned from
			cache. :gl:`#2267`
Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00
Mention TLS certs verification in the CHANGES and Release Notes This commit adds points to the CHANGES and the release notes about supporting remote TLS certificates verification and support for Strict and Mutual TLS transport connections verification. 2022-02-21 16:02:32 +02:00			`- Add support for remote TLS certificates verification, both to BIND`
			and ``dig``, making it possible to implement Strict and Mutual TLS
			authentication, as described in RFC 9103, Section 9.3. :gl:`#3163`

Set up release notes for BIND 9.18.2 2022-03-16 23:18:18 +01:00			`Removed Features`
			`~~~~~~~~~~~~~~~~`

			`- None.`

			`Feature Changes`
			`~~~~~~~~~~~~~~~`

			`- None.`

			`Bug Fixes`
			`~~~~~~~~~`

Add CHANGE and release note for #2931 Release note worthy. (cherry picked from commit ebbcf4c34fc53a1d7e286d1f9cf2741bd688e03d) 2022-01-10 17:45:00 +01:00			`- CDS and CDNSKEY DELETE records are removed from the zone when configured with`
			'auto-dnssec maintain;'. This has been fixed. :gl:`#2931`.