From cdc4388ac3e720367e8d808fe8061e91f06fc484 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 7 Feb 2019 22:45:28 -0800
Subject: [PATCH] CHANGES, release notes

---
 CHANGES           |  5 +++++
 doc/arm/notes.xml | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index dd36dde318..1e5b2dd211 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5228.	[func]		If trusted-keys and managed-keys were configured
+			simultaneously for the same name, the key could
+			not be be rolled automatically. This is now
+			a fatal configuration error. [GL #868]
+
 5227.	[placeholder]
 
 5226.	[placeholder]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 18a9cc9c38..2781c728a8 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -132,7 +132,16 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  None.
+	  When <command>trusted-keys</command> and
+	  <command>managed-keys</command> were both configured for the
+	  same name, or when <command>trusted-keys</command> was used to
+	  configure a trust anchor for the root zone and
+	  <command>dnssec-validation</command> was set to the default
+	  value of <literal>auto</literal>, automatic RFC 5011 key
+	  rollovers would be disabled. This combination of settings was
+	  never intended to work, but there was no check for it in the
+	  parser. This has been corrected, and it is now a fatal
+	  configuration error. [GL #868]
 	</para>
       </listitem>
     </itemizedlist>