Repeat Known Issues at the top of Release Notes page

From now on all per-version notes link to the global list
of Known Issues. If there is a new note it should be listed twice:
In the per-version list, and in the global list.

(cherry picked from commit c58dd2790a)

doc/arm/notes.rst

@@ -33,6 +33,8 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
+.. include:: ../notes/notes-known-issues.rst
+
 .. include:: ../notes/notes-current.rst
 .. include:: ../notes/notes-9.18.8.rst
 .. include:: ../notes/notes-9.18.7.rst

doc/notes/notes-9.18.0.rst

@@ -26,6 +26,9 @@ Known Issues
   formally declaring them to be obsolete in the control channel.
   :gl:`#1759`
 
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
 New Features
 ~~~~~~~~~~~~
 

doc/notes/notes-9.18.1.rst

@@ -98,3 +98,10 @@ Bug Fixes
 
 - Build errors were introduced in some DLZ modules due to an incomplete
   change in the previous release. This has been fixed. :gl:`#3111`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.18.2.rst

@@ -44,3 +44,10 @@ Bug Fixes
 - Handling of TCP write timeouts has been improved to track the timeout
   for each TCP write separately, leading to a faster connection teardown
   in case the other party is not reading the data. :gl:`#3200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.18.3.rst

@@ -37,6 +37,9 @@ Known Issues
   ignored. Only old platforms are affected by this, e.g. those supplied
   with OpenSSL versions older than 1.1.1. :gl:`#3163`
 
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
 New Features
 ~~~~~~~~~~~~
 

doc/notes/notes-9.18.4.rst

@@ -35,3 +35,10 @@ Bug Fixes
   ran, whether the metadata had changed or not. :iscman:`named` now
   checks whether changes were applied before writing out the key files.
   :gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.18.5.rst

@@ -50,3 +50,10 @@ Bug Fixes
 - It was possible for a catalog zone consumer to process a catalog zone
   member zone when there was a configured pre-existing forward-only
   forward zone with the same name. This has been fixed. :gl:`#2506`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.18.6.rst

@@ -53,3 +53,10 @@ Bug Fixes
 - :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
   expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
   the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.18.7.rst

@@ -71,3 +71,10 @@ Bug Fixes
   from cache for lookups that received duplicate queries or queries that
   would be dropped. This bug resulted in premature SERVFAIL responses,
   and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-9.18.8.rst

@@ -33,6 +33,9 @@ Known Issues
   :any:`allow-update-forwarding`) in conjuction with zone transfers over
   TLS (XoT). :gl:`#3512`
 
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
 New Features
 ~~~~~~~~~~~~
 

doc/notes/notes-current.rst

@@ -17,11 +17,6 @@ Security Fixes
 
 - None.
 
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
 New Features
 ~~~~~~~~~~~~
 
@@ -63,3 +58,10 @@ Bug Fixes
 
 - Fixed a crash that happens when you reconfigure a ``dnssec-policy``
   zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.

doc/notes/notes-known-issues.rst

@@ -0,0 +1,51 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
+  a manual configuration change. The following configurations are
+  affected:
+
+  - :any:`type primary` zones configured with :any:`dnssec-policy` but
+    without either :any:`allow-update` or :any:`update-policy`,
+  - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+  In these cases please add :namedconf:ref:`inline-signing yes;
+  <inline-signing>` to the individual zone configuration(s). Without
+  applying this change, :iscman:`named` will fail to start. For more
+  details, see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND 9.18 does not support dynamic update forwarding (see
+  :any:`allow-update-forwarding`) in conjuction with zone transfers over
+  TLS (XoT). :gl:`#3512`
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+  be inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the ability to ignore the ``Subject`` field. This
+  should have minimal production-use consequences, as most of the
+  production-ready certificates issued by certificate authorities will
+  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+  ignored. Only old platforms are affected by this, e.g. those supplied
+  with OpenSSL versions older than 1.1.1. :gl:`#3163`
+
+- ``rndc`` has been updated to use the new BIND network manager API. As
+  the network manager currently has no support for UNIX-domain sockets,
+  those cannot now be used with ``rndc``. This will be addressed in a
+  future release, either by restoring UNIX-domain socket support or by
+  formally declaring them to be obsolete in the control channel.
+  :gl:`#1759`