CHANGES and release notes

diff --git a/CHANGES b/CHANGES
index 63a2c54db171abad7c32ece63b32d2fe44071776..344afbca5fa80f3e31e8d5a23ef6d40ba5f2cbea 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5574.  [func]          Incoming zone transfers can now use TLS.
+                       Addresses in a "primaries" list take an optional
+                       "tls" argument, specifying either a previously
+                       configured "tls" block or "ephemeral"; SOA queries
+                       and zone transfer requests will then be sent via
+                       TLS. [GL #2392]
+
 5573.  [func]          Also return stale data if an error occurred and we are
                        not resuming. Only start the stale-refresh-time window
                        if we timed out. [GL #2434]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 600911bd2a32b50a6b5d614786538beb9c3fe2be..82677a00ee28369b492a5684c58033a1350341d4 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -47,6 +47,11 @@ New Features
   case, we will try to answer DNS requests with stale data, but not start
   the ``stale-refresh-time`` window. [GL #2434]
 
+- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
+  outgoing zone transfers.  Addresses in a ``primaries`` list can take
+  an optional ``tls`` option which specifies either a previously configured
+  ``tls`` statement or ``ephemeral``. [GL #2392]
+
 Removed Features
 ~~~~~~~~~~~~~~~~