add CHANGES and release notes entries.

(cherry picked from commit c8e92d3e45993855caa74adc7b36c02bbf5dae55)

diff --git a/CHANGES b/CHANGES
index b0773563ecde270828c6fa7b82423e7c8f63804d..ace7b221083508bd95fc1f2d2fff8347857ca09b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5108.  [bug]           Named could fail to determine bottom of zone when
+                       removing out of date keys leading to invalid NSEC
+                       and NSEC3 records being added to the zone. [GL #771]
+
 5107.  [bug]           'host -U' did not work. [GL #769]
 
 5104.  [cleanup]       Log clearer informational message when a catz zone

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 25566cc7466584caebbdff8d709ea68c9f2706a1..b4efd3792cad2881683417682b177f18d5ad8cdf 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -92,6 +92,20 @@
          remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         Code change #4964, intended to prevent double signatures
+         when deleting an inactive zone DNSKEY in some situations,
+         introduced a new problem during zone processing in which
+         some delegation glue RRsets are incorrectly identified
+         as needing RRSIGs, which are then created for them using
+         the current active ZSK for the zone. In some, but not all
+         cases, the newly-signed RRsets are added to the zone's
+         NSEC/NSEC3 chain, but incompletely -- this can result in
+         a broken chain, affecting validation of proof of nonexistence
+         for records in the zone. [GL #771]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>