CVE request: BIND 9 bug involving DNSSEC and the additional section

[Florian Weimer <fw () deneb enyo de>]

Fixed in BIND 9.6.1-P2, 9.5.2-P1 and 9.4.3-P4, per recent
announcements.

2772.   [security]      When validating, track whether pending data was from
                        the additional section or not and only return it if
                        validates as secure. [RT #20438]

The advisory at <https://www.isc.org/node/504> is rather unclear.  The
way it is written, one would assume that the in-bailiwick checks are
bypassed as well.  Is this really true?  (Based on a quick look at the
patch, this seems to happen only for secure domains, that is, you need
some trust anchors.)