From: Matthijs Mekking Date: Thu, 7 Jan 2021 11:34:09 +0000 (+0100) Subject: Add change and release note for [#2375] X-Git-Tag: v9.17.10~5^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7947f7f9c606c5545862f6ab1d590c16cd283197;p=thirdparty%2Fbind9.git Add change and release note for [#2375] News worthy. --- diff --git a/CHANGES b/CHANGES index 1f8591e7ae5..f1b82b0c012 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5577. [bug] Fix the "three is a crowd" key rollover bug in + dnssec-policy by correctly implementing Equation(2) of + the "Flexible and Robust Key Rollover" paper. [GL #2375] + 5576. [experimental] Initial server-side implementation of DNS-over-HTTPS (DoH). Support for both TLS-encrypted and unencrypted HTTP/2 connections has been added to the network manager diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ba95f08b248..886dc66b765 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -103,3 +103,11 @@ Bug Fixes - When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive" and/or "Delete" timing metadata as possible active keys. This has been fixed. [GL #2406] + +- Fix the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys + rolled faster than the time required to finish the rollover procedure, the + successor relation equation failed because it assumed only two keys were + taking part in a rollover. This could lead to premature removal of + predecessor keys. BIND 9 now implements a recursive successor relation, as + described in the paper "Flexible and Robust Key Rollover" (Equation (2)). + [GL #2375]