2022-03-16 23:18:18 +01:00
|
|
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
|
..
|
|
|
|
|
.. SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
..
|
|
|
|
|
.. This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
|
..
|
|
|
|
|
.. See the COPYRIGHT file distributed with this work for additional
|
|
|
|
|
.. information regarding copyright ownership.
|
|
|
|
|
|
2022-04-12 14:13:32 +02:00
|
|
|
Notes for BIND 9.18.3
|
2022-03-16 23:18:18 +01:00
|
|
|
---------------------
|
|
|
|
|
|
|
|
|
|
Security Fixes
|
|
|
|
|
~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
- None.
|
|
|
|
|
|
|
|
|
|
Known Issues
|
|
|
|
|
~~~~~~~~~~~~
|
|
|
|
|
|
2022-02-21 10:25:41 +02:00
|
|
|
- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
|
|
|
|
|
inspected when verifying a remote certificate while establishing a
|
|
|
|
|
DNS-over-TLS connection. Only SubjectAltName must be checked
|
|
|
|
|
instead. Unfortunately, some quite old versions of cryptographic
|
|
|
|
|
libraries might lack the functionality to ignore the Subject
|
|
|
|
|
field. It should have minimal production use consequences, as most
|
|
|
|
|
of the production-ready certificates issued by certificate
|
|
|
|
|
authorities will have SubjectAltNames set. In such a case, the
|
|
|
|
|
Subject field is ignored. Only old platforms are affected by this,
|
|
|
|
|
e.g., those supplied with OpenSSL versions older than 1.1.1.
|
2022-03-16 23:18:18 +01:00
|
|
|
|
|
|
|
|
New Features
|
|
|
|
|
~~~~~~~~~~~~
|
|
|
|
|
|
2022-04-21 10:45:01 +02:00
|
|
|
- Add DNS Extended Errors (:rfc:`8914`) when stale answers are returned from
|
|
|
|
|
cache. :gl:`#2267`
|
2022-03-16 23:18:18 +01:00
|
|
|
|
2022-02-21 16:02:32 +02:00
|
|
|
- Add support for remote TLS certificates verification, both to BIND
|
|
|
|
|
and ``dig``, making it possible to implement Strict and Mutual TLS
|
|
|
|
|
authentication, as described in RFC 9103, Section 9.3. :gl:`#3163`
|
|
|
|
|
|
2022-05-03 09:28:26 +00:00
|
|
|
- Catalog Zones schema version 2, as described in the "DNS Catalog Zones" IETF
|
|
|
|
|
draft version 5 document, is now supported by :iscman:`named`. All of the
|
|
|
|
|
previously supported BIND-specific catalog zone custom properties
|
|
|
|
|
(``primaries``, ``allow-query``, and ``allow-transfer``), as well as the new
|
|
|
|
|
Change of Ownership (``coo``) property, are now implemented. Schema version 1
|
|
|
|
|
is still supported, with some additional validation rules applied from
|
|
|
|
|
schema version 2: for example, the ``version`` property is mandatory, and a
|
|
|
|
|
member zone PTR RRset must not contain more than one record. In the event of a
|
|
|
|
|
validation error, a corresponding error message is logged to help with
|
|
|
|
|
diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223` :gl:`#3224`
|
|
|
|
|
:gl:`#3225`
|
|
|
|
|
|
2022-03-16 23:18:18 +01:00
|
|
|
Removed Features
|
|
|
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
- None.
|
|
|
|
|
|
|
|
|
|
Feature Changes
|
|
|
|
|
~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
- None.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
~~~~~~~~~
|
|
|
|
|
|
2022-01-10 17:45:00 +01:00
|
|
|
- CDS and CDNSKEY DELETE records are removed from the zone when configured with
|
|
|
|
|
'auto-dnssec maintain;'. This has been fixed. :gl:`#2931`.
|
