From: Evan Hunt <each@isc.org>
Date: Wed, 16 Feb 2022 23:58:50 +0000 (-0800)
Subject: CHANGES and release note for [GL #3157]
X-Git-Tag: v9.19.0~112^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=04361b0ad5e3a799cb37432ac0eb06226a6b62e0;p=thirdparty%2Fbind9.git

CHANGES and release note for [GL #3157]
---

diff --git a/CHANGES b/CHANGES
index fb9adb49e71..7597fce9d88 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5806.	[bug]		An error in checking the "blackhole" ACL could cause
+			DNS requests sent by named to fail if the
+			destination address or prefix was specifically
+			excluded from the ACL. [GL #3157]
+
 5805.	[func]		The result of each resolver priming attempt is now
 			included in the "resolver priming query complete" log
 			message. [GL #3139]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ded784f7a77..c9ae25023b8 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -62,3 +62,11 @@ Bug Fixes
 
 - Build errors were introduced in some DLZ modules due to an incomplete
   change in the previous release. This has been fixed. :gl:`#3111`
+
+- An error in the processing of the ``blackhole`` ACL could cause some DNS
+  requests sent by ``named`` to fail - for example, zone transfer requests
+  and SOA refresh queries - if the destination address or prefix was
+  specifically excluded from the ACL using ``!``, or if the ACL was set
+  to ``none``.  ``blackhole`` worked correctly when it was left unset, or
+  if only positive-match elements were included. This has now been fixed.
+  :gl:`#3157`