add CHANGES and release notes entries.

(cherry picked from commit c8e92d3e45993855caa74adc7b36c02bbf5dae55)
(cherry picked from commit 74a66f7add34eb2311e1931875f717e020fdfdd2)

diff --git a/CHANGES b/CHANGES
index c99ca4f518d3a9bf4c137ce271cb9743f4bdcd2d..8e886c29868d4c59e3c1ce86d0e5e02918830b6d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5108.  [bug]           Named could fail to determine bottom of zone when
+                       removing out of date keys leading to invalid NSEC
+                       and NSEC3 records being added to the zone. [GL #771]
+
        --- 9.12.3 released ---
 
        --- 9.12.3rc1 released ---

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 64467c71d349cd66109a8d3d9c102853cc54c871..0799f62d30128c70bb5c535289bc7a91f99b8908 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -74,6 +74,20 @@
          CVE-2018-5736. [GL #134]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         Code change #4964, intended to prevent double signatures
+         when deleting an inactive zone DNSKEY in some situations,
+         introduced a new problem during zone processing in which
+         some delegation glue RRsets are incorrectly identified
+         as needing RRSIGs, which are then created for them using
+         the current active ZSK for the zone. In some, but not all
+         cases, the newly-signed RRsets are added to the zone's
+         NSEC/NSEC3 chain, but incompletely -- this can result in
+         a broken chain, affecting validation of proof of nonexistence
+         for records in the zone. [GL #771]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>