add CHANGES and release notes entries.

2018-11-23 15:41:30 +11:00
parent 9eec02a81f
commit c8e92d3e45
2 changed files with 18 additions and 0 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
+5108.	[bug]		Named could fail to determine bottom of zone when
+			removing out of date keys leading to invalid NSEC
+			and NSEC3 records being added to the zone. [GL #771]
+
 5107.	[bug]		'host -U' did not work.	[GL #769]

 5106.	[experimental]	A new "plugin" mechanism has been added to allow
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -126,6 +126,20 @@
 	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  Code change #4964, intended to prevent double signatures
+	  when deleting an inactive zone DNSKEY in some situations,
+	  introduced a new problem during zone processing in which
+	  some delegation glue RRsets are incorrectly identified
+	  as needing RRSIGs, which are then created for them using
+	  the current active ZSK for the zone. In some, but not all
+	  cases, the newly-signed RRsets are added to the zone's
+	  NSEC/NSEC3 chain, but incompletely -- this can result in
+	  a broken chain, affecting validation of proof of nonexistence
+	  for records in the zone. [GL #771]
+	</para>
+      </listitem>
    </itemizedlist>
  </section>