Add change and release note for [#2375]

News worthy.

diff --git a/CHANGES b/CHANGES
index 1f8591e7ae5b8a6cce06b6dd093c89a5235d2ce4..f1b82b0c01248db39192286dae1f9352367766b8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5577.  [bug]           Fix the "three is a crowd" key rollover bug in
+                       dnssec-policy by correctly implementing Equation(2) of
+                       the "Flexible and Robust Key Rollover" paper. [GL #2375]
+
 5576.  [experimental]  Initial server-side implementation of DNS-over-HTTPS
                        (DoH). Support for both TLS-encrypted and unencrypted
                        HTTP/2 connections has been added to the network manager

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ba95f08b248be5d08314cf19de3951878c572b9a..886dc66b765a48b9b4b249d3b51754313432c9d4 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -103,3 +103,11 @@ Bug Fixes
 - When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
   and/or "Delete" timing metadata as possible active keys. This has been fixed.
   [GL #2406]
+
+- Fix the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys
+  rolled faster than the time required to finish the rollover procedure, the
+  successor relation equation failed because it assumed only two keys were
+  taking part in a rollover. This could lead to premature removal of
+  predecessor keys. BIND 9 now implements a recursive successor relation, as
+  described in the paper "Flexible and Robust Key Rollover" (Equation (2)).
+  [GL #2375]