Add a CHANGES note for [GL #4480]

author Aram Sargsyan <aram@isc.org>

Wed, 27 Mar 2024 14:59:37 +0000 (14:59 +0000)

committer Nicki Křížek <nicki@isc.org>

Mon, 10 Jun 2024 15:34:09 +0000 (17:34 +0200)
author Aram Sargsyan <aram@isc.org>
Wed, 27 Mar 2024 14:59:37 +0000 (14:59 +0000)
committer Nicki Křížek <nicki@isc.org>
Mon, 10 Jun 2024 15:34:09 +0000 (17:34 +0200)
diff --git a/CHANGES b/CHANGES

index c8e043e51438a66bac5c0a8882cda6bebdb41b72..828f26d21144cb2bcf18573db6c8e05590b95407 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+6402.  [security]      A malicious DNS client that sends many queries with a
+                       SIG(0)-signed message can cause the server to respond
+                       slowly or not respond at all to other clients. Use the
+                       offload threadpool for SIG(0) signature verifications,
+                       add the 'sig0checks-quota' configuration option to
+                       introduce a quota for SIG(0)-signed queries running in
+                       parallel and add the 'sig0checks-quota-exempt' option to
+                       exempt certain clients by their IP/network addresses.
+                       (CVE-2024-1975) [GL #4480]
+
  6401.  [security]      An excessively large number of rrtypes per owner can
                         slow down database query processing, so a limit has been
                         placed on the number of rrtypes that can be stored per
author	Aram Sargsyan <aram@isc.org>
	Wed, 27 Mar 2024 14:59:37 +0000 (14:59 +0000)
committer	Nicki Křížek <nicki@isc.org>
	Mon, 10 Jun 2024 15:34:09 +0000 (17:34 +0200)