4.2.x to 4.3.0 or master
------------------------
+Lua Netmask class methods changed
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Netmask class methods ``isIpv4`` and ``isIpv6`` have been deprecated in Lua, use :func:`Netmask.isIPv4` and :func:`Netmask.isIPv6` instead. In C++ API these methods have been removed.
+``socket-dir`` changed
+^^^^^^^^^^^^^^^^^^^^^^
+The default :ref:`setting-socket-dir` has changed to include ``pdns-recursor`` in the path.
+For non-chrooted setups, it is now whatever is passed to ``--with-socketdir`` during configure (``/var/run`` by default) plus ``pdns_recursor``.
+The systemd unit-file is updated to reflect this change and systemd will automatically create the directory with the proper permissions.
+The packaged sysV init-script also creates this directory.
+For other operating systems, update your init-scripts accordingly.
+
+Systemd service and permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The systemd service-file that is installed no longer uses the ``root`` user to start.
+It uses the user and group set with the ``--with-service-user`` and ``--with-service-group`` switches during
+configuration, "pdns" by default.
+This could mean that PowerDNS Recursor cannot read its configuration or zone-file data.
+It is recommended to recursively ``chown`` directories used by PowerDNS Recursor::
+
+ # For Debian-based systems
+ chown -R root:pdns /etc/powerdns
+
+ # For CentOS and RHEL based systems
+ chown -R root:pdns /etc/pdns-recursor
+
+Packages provided on `the PowerDNS Repository <https://repo.powerdns.com>`__ will ``chown`` directories created by them accordingly in the post-installation steps.
+
+New settings
+^^^^^^^^^^^^
+- The :ref:`allow-trust-anchor-query` setting has been added. This setting controls if negative trust anchors can be queried. The default is `no`.
+- The :ref:`max-concurrent-requests-per-tcp-connection` has been added. This setting controls how many requests are handled concurrently per incoming TCP connection. The default is 10.
+- The :ref:`max-generate-steps` setting has been added. This sets the maximum number of steps that will be performed when loading a BIND zone with the ``$GENERATE`` directive. The default is 0, which is unlimited.
+- The :ref:`nothing-below-nxdomain` setting has been added. This setting controls the way cached NXDOMAIN replies imply non-existence of a whole subtree. The default is `dnssec` which means that only DNSSEC validated NXDOMAINS results are used.
+- The :ref:`qname-minimization` setting has been added. This options controls if QName Minimization is used. The default is `yes`.
+
4.1.x to 4.2.0
--------------