+5108. [bug] Named could fail to determine bottom of zone when
+ removing out of date keys leading to invalid NSEC
+ and NSEC3 records being added to the zone. [GL #771]
+
5107. [bug] 'host -U' did not work. [GL #769]
5106. [experimental] A new "plugin" mechanism has been added to allow
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</para>
</listitem>
+ <listitem>
+ <para>
+ Code change #4964, intended to prevent double signatures
+ when deleting an inactive zone DNSKEY in some situations,
+ introduced a new problem during zone processing in which
+ some delegation glue RRsets are incorrectly identified
+ as needing RRSIGs, which are then created for them using
+ the current active ZSK for the zone. In some, but not all
+ cases, the newly-signed RRsets are added to the zone's
+ NSEC/NSEC3 chain, but incompletely -- this can result in
+ a broken chain, affecting validation of proof of nonexistence
+ for records in the zone. [GL #771]
+ </para>
+ </listitem>
</itemizedlist>
</section>
projects / thirdparty / bind9.git / commitdiff
