From 294943ba7ce037ae8ed161fc3eafda43876749fe Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 22 Nov 2023 16:39:40 +0100
Subject: [PATCH] Add release note and CHANGES for #4363

This protocol change is definitely worth mentioning.
---
 CHANGES                     | 6 ++++++
 doc/notes/notes-current.rst | 7 ++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 06772c24e6..83590f8445 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+6292.	[func]		Lower the maximum number of allowed NSEC3 iterations,
+			from 150 to 50. DNSSEC responses with a higher
+			iteration count are treated as insecure. For signing
+			with dnssec-policy, iterations must be set to zero.
+			[GL #4363]
+
 6291.	[bug]		SIGTERM failed to properly stop multiple outstanding
 			lookup in dig. [GL #4457]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 7c0b9b30dc..9bb024fe9b 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -33,7 +33,12 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- None.
+- The maximum number of allowed NSEC3 iterations for validation has been
+  lowered from 150 to 50. DNSSEC responses containing NSEC3 records with
+  iteration counts greater than 50 are now treated as insecure.  :gl:`#4363`
+
+- The number of NSEC3 iterations that can be configured for a zone must be 0.
+  :gl:`#4363`
 
 Bug Fixes
 ~~~~~~~~~