DNSSEC: unsigned RRs in the auth section are not bogus. Even if they are in a signed zone.

commit: 69a0477b741c1f8195c64417fec4a92a50c9291a [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Tue Sep 03 16:49:02 2019 +0100
committer: Simon Kelley <simon@thekelleys.org.uk> Tue Sep 03 16:49:02 2019 +0100
tree: 1cf5b7ae10be59b755a1493bd5cc2a1422e4a047
parent: ae7a3b9d2e8705af203a1347c397718a24331747 [diff] [blame]
diff --git a/CHANGELOG b/CHANGELOG
index 41f481b..b737f44 100644
--- a/CHANGELOG
+++ b/CHANGELOG

@@ -46,10 +46,9 @@
 	Fix compilation against nettle version 3.5 and later.
 
 	Fix spurious DNSSEC validation failures when the auth section
-	of a reply proving that a DS record does not exist contains
-	unsigned RRs. Only the NSEC/NSEC3 records needed to prove
-	the non-existence of the DS record must be signed. Thanks
-	to Tore Anderson for spotting and diagnosing the bug.
+	of a reply contains unsigned RRs from a signed zone, 
+	with the exception that NSEC and NSEC3 RRs must always be signed.
+        Thanks to Tore Anderson for spotting and diagnosing the bug.
 
 	
 version 2.80
commit	69a0477b741c1f8195c64417fec4a92a50c9291a	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Tue Sep 03 16:49:02 2019 +0100
committer	Simon Kelley <simon@thekelleys.org.uk>	Tue Sep 03 16:49:02 2019 +0100
tree	1cf5b7ae10be59b755a1493bd5cc2a1422e4a047
parent	ae7a3b9d2e8705af203a1347c397718a24331747 [diff] [blame]