According to code inspection, there seems to be possible reference
leak to dns_dbnode_t in lib/dns/update.c:dns_update_signaturesinc():

		CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
		dns_rdataset_init(&rdataset);
		CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa,
					  0, (isc_stdtime_t) 0, &rdataset,
					  NULL));
		CHECK(dns_rdataset_first(&rdataset));
		dns_rdataset_current(&rdataset, &rdata);
		CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
		state->nsecttl = soa.minimum;
		dns_rdataset_disassociate(&rdataset);
		dns_db_detachnode(db, &node);

If some of the above CHECK fails after dns_db_findnode() succeeds, it
jumps to 'failure', but 'node' isn't detached in that code block and
will leak.

The same issue seems to exist for ol