Package: bind9 Version: 1:9.19.24-185-g392e7199df2-1 Version 1:9.19.24-185-g392e7199df2-1 of the bind9 package includes this change:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9046 Which changes the default ACL for zone transfers (allow-transfer) from "allow by default" to "deny by default". While I think this change makes sense in and of itself from a security perspective, it has the potential to cause widespread breakage to existing setups that may accidentally rely on zone transfers being allowed by default - this is what happened to me when I updated. What makes this worse is zone transfer breakage can easily go unnoticed initially since it only affects secondaries. Operators may end up finding out their secondaries don't work at the worst possible time - again, speaking from experience here. It may be worth taking steps to reduce the likelihood of breaking existing setups before this change percolates down to testing and stable. For example, displaying some kind of big warning on package update.
