Commit c8e92d3e authored by Mark Andrews's avatar Mark Andrews
Browse files

add CHANGES and release notes entries.

parent 9eec02a8
5108. [bug] Named could fail to determine bottom of zone when
removing out of date keys leading to invalid NSEC
and NSEC3 records being added to the zone. [GL #771]
5107. [bug] 'host -U' did not work. [GL #769]
5106. [experimental] A new "plugin" mechanism has been added to allow
......@@ -126,6 +126,20 @@
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment