CHANGES and release note for [GL #3157]

diff --git a/CHANGES b/CHANGES
index fb9adb49e7182db8112e2464b3f5afb8dd1e63c3..7597fce9d882ef257146d78d4d82a3ff40b5b065 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5806.  [bug]           An error in checking the "blackhole" ACL could cause
+                       DNS requests sent by named to fail if the
+                       destination address or prefix was specifically
+                       excluded from the ACL. [GL #3157]
+
 5805.  [func]          The result of each resolver priming attempt is now
                        included in the "resolver priming query complete" log
                        message. [GL #3139]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ded784f7a77c60879e3fcfd9cc27552dc21becf7..c9ae25023b8442a18ff36166d1b35c2708d929c7 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -62,3 +62,11 @@ Bug Fixes
 
 - Build errors were introduced in some DLZ modules due to an incomplete
   change in the previous release. This has been fixed. :gl:`#3111`
+
+- An error in the processing of the ``blackhole`` ACL could cause some DNS
+  requests sent by ``named`` to fail - for example, zone transfer requests
+  and SOA refresh queries - if the destination address or prefix was
+  specifically excluded from the ACL using ``!``, or if the ACL was set
+  to ``none``.  ``blackhole`` worked correctly when it was left unset, or
+  if only positive-match elements were included. This has now been fixed.
+  :gl:`#3157`