From ba5869943dbf6becc1677f78eaec338c50051412 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 13 Jul 2021 17:34:30 +0200 Subject: [PATCH] Add change and release notes [#2710] --- CHANGES | 8 +++++++- doc/notes/notes-current.rst | 6 ++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 096db9f8f5..f3ee05567d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,9 +1,15 @@ +5681. [func] Relax the "zone_cdscheck" function to allow CDS and + CDNSKEY records in the zone that do not match an + existing DNSKEY record, so long as the algorithm + does match. This allows a clean rollover from one + provider to another in a multi-signer DNSSEC + configuration. [GL #2710]. + 5680. [bug] Fix a crash in DoH code caused by GET requests without query strings. [GL !5268] 5679. [bug] Disable setting the thread affinity. [GL #2822] - 5678. [bug] The "check DS" code failed to release all resources upon named shutdown when a refresh was in progress. This has been fixed. [GL #2811] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 4a1586c40e..500c89b43d 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -64,6 +64,12 @@ Feature Changes that incorrectly echo back the query message with the RCODE field set to FORMERR and the QR bit set to 1. :gl:`#2249` +- CDS and CDNSKEY records may now be published in a zone without the + requirement that they exactly match an existing DNSKEY record, so long + the zone is signed with an algorithm represented in the CDS or CDNSKEY + record. This allows a clean rollover from one DNS provider to another + when using a multiple-signer DNSSEC configuration. :gl:`#2710` + Bug Fixes ~~~~~~~~~