add CHANGES and release notes entries.

(cherry picked from commit c8e92d3e45993855caa74adc7b36c02bbf5dae55)
(cherry picked from commit 913c62979e768112f5d0069f694eb995fe898427)

diff --git a/CHANGES b/CHANGES
index 338908cbce7ff534a698741b2032528f1a8b2b36..6c54b511f5beab392763c6c284b6bec397292af6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5108.  [bug]           Named could fail to determine bottom of zone when
+                       removing out of date keys leading to invalid NSEC
+                       and NSEC3 records being added to the zone. [GL #771]
+
        --- 9.11.5 released ---
 
        --- 9.11.5rc1 released ---

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index d9537a368780e6f045740cbb0afd281e6ddd4b6d..02abc17e2af28dc96a8f5f94365e852cb8174c38 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -92,6 +92,20 @@
          remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         Code change #4964, intended to prevent double signatures
+         when deleting an inactive zone DNSKEY in some situations,
+         introduced a new problem during zone processing in which
+         some delegation glue RRsets are incorrectly identified
+         as needing RRSIGs, which are then created for them using
+         the current active ZSK for the zone. In some, but not all
+         cases, the newly-signed RRsets are added to the zone's
+         NSEC/NSEC3 chain, but incompletely -- this can result in
+         a broken chain, affecting validation of proof of nonexistence
+         for records in the zone. [GL #771]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>