diff --git a/doc/arm/notes-9.17.1.xml b/doc/arm/notes-9.17.1.xml
index 65b5bfb6e2..da15f4bd31 100644
--- a/doc/arm/notes-9.17.1.xml
+++ b/doc/arm/notes-9.17.1.xml
@@ -15,9 +15,9 @@
- DNS rebinding protection was ineffective when BIND 9 is configured as
- a forwarding DNS server. Found and responsibly reported by Tobias
- Klein. [GL #1574]
+ DNS rebinding protection was ineffective when BIND 9 is configured as
+ a forwarding DNS server. Found and responsibly reported by Tobias
+ Klein. [GL #1574]
@@ -27,7 +27,13 @@
- None.
+ We have received reports that in some circumstances, receipt of an
+ IXFR can cause the processing of queries to slow significantly. Some
+ of these were related to RPZ processing, which has been fixed in this
+ release (see below). Others appear to occur where there are
+ NSEC3-related changes (such as an operator changing the NSEC3 salt
+ used in the hash calculation). These are being investigated.
+ [GL #1685]
@@ -37,8 +43,17 @@
- None.
-
+ A new option, nsdname-wait-recurse, has been added
+ to the response-policy clause in the configuration
+ file. When set to no, RPZ NSDNAME rules are only
+ applied if the authoritative nameservers for the query name have been
+ looked up and are present in the cache. If this information is not
+ present, the RPZ NSDNAME rules are ignored, but the information is
+ looked up in the background and applied to subsequent queries. The
+ default is yes, meaning that RPZ NSDNAME rules
+ should always be applied, even if the information needs to be looked
+ up first. [GL #1138]
+
@@ -47,9 +62,9 @@
- The DNSSEC sign statistics used lots of memory. The number of keys
- to track is reduced to four per zone, which should be enough for
- 99% of all signed zones. [GL #1179]
+ The previous DNSSEC sign statistics used lots of memory. The number of
+ keys to track is reduced to four per zone, which should be enough for
+ 99% of all signed zones. [GL #1179]
@@ -59,20 +74,25 @@
- When an RPZ policy zone was updated via zone transfer
- and a large number of records were deleted, named
- could become nonresponsive for a short period while deleted
- names were removed from the RPZ summary database. This database
- cleanup is now done incrementally over a longer period of time,
- reducing such delays. [GL #1447]
+ When an RPZ policy zone was updated via zone transfer and a large
+ number of records was deleted, named could become
+ nonresponsive for a short period while deleted names were removed from
+ the RPZ summary database. This database cleanup is now done
+ incrementally over a longer period of time, reducing such delays.
+ [GL #1447]
- Migration to dnssec-policy from existing DNSSEC strategy with
- auto-dnssec maintain did not work due to bad initializing of the
- key states. Fixed by looking closely at the time metadata to
- set the key states to the correct values. [GL #1706]
+ When trying to migrate an already-signed zone from
+ auto-dnssec maintain to one based on
+ dnssec-policy, the existing keys were immediately
+ deleted and replaced with new ones. As the key rollover timing
+ constraints were not being followed, it was possible that some clients
+ would not have been able to validate responses until all old DNSSEC
+ information had timed out from caches. BIND now looks at the time
+ metadata of the existing keys and incorporates it into its DNSSEC
+ policy operation. [GL #1706]