Fix check for NSEC3 signatures

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Wed, 7 Oct 2009 12:57:12 +0000 (12:57 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Wed, 7 Oct 2009 12:57:12 +0000 (12:57 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Wed, 7 Oct 2009 12:57:12 +0000 (12:57 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Wed, 7 Oct 2009 12:57:12 +0000 (12:57 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index 00cee041d302085ef08cdd47d89d30061677c55b..73aa3151fb43bf8469f7a8d4b559b9cd0861609b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,9 @@
         - retry for validation failure in DNSKEY in middle of chain of trust.
           unit test.
         - retry for empty non terminals in chain of trust and unit test.
+       - Fixed security bug where the signatures for NSEC3 records were not
+         checked when checking for absence of DS records.  This could have
+         enabled the substitution of an insecure delegation.
  
  6 October 2009: Wouter
         - Test set updated to provide additional ns lookup result.
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Wed, 7 Oct 2009 12:57:12 +0000 (12:57 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Wed, 7 Oct 2009 12:57:12 +0000 (12:57 +0000)