From: Nicki Křížek Date: Mon, 29 Jun 2026 13:34:29 +0000 (+0000) Subject: amend! Add non-IN RR classes to list of unsupported configurations X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc06f799dce67fe1e7891357879230dddcc5e19d;p=thirdparty%2Fbind9.git amend! Add non-IN RR classes to list of unsupported configurations Document that non-IN RR class issues are out of CVE scope CVE-2026-5946 covered assertion failures reachable only through the handling of resource record classes other than Internet (IN). Configuring zones or views with such classes is a supported feature; document in the security assumptions that problems reachable only through it cannot be the basis for CVE assignment. Closes #5805 Assisted-by: Claude:claude-opus-4-8 --- diff --git a/doc/arm/security.inc.rst b/doc/arm/security.inc.rst index a596f4b820..c1eaf3bc77 100644 --- a/doc/arm/security.inc.rst +++ b/doc/arm/security.inc.rst @@ -30,8 +30,11 @@ can potentially cause crashes, incorrect data handling, or corruption: - Clients communicating via the :any:`controls` socket using configured keys - Access to :any:`statistics-channels` from untrusted clients - Sockets used for :any:`update-policy` type `external` -- Configuring resources (views, zones, ...) with non-Internet (IN) Resource - Record classes (like CHAOS or HESIOD) + +Problems that can only be triggered by configuring resources +(views, zones, ...) with DNS classes other than Internet (IN), such as +CHAOS (CH) or HESIOD (HS), cannot be the basis for CVE assignment or +special security-sensitive handling of issues. Certain aspects of the DNS protocol are left unspecified, such as the handling of responses from DNS servers which do not fully conform to the DNS protocol. For