New DNSSEC Root Key

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 4a637cf05303d6e5d81f0cd7420a216fda8b634e..a1c6cf268efe65eed734328a267424f9c886d985 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -62,6 +62,35 @@
     </para>
   </section>
 
+  <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
+    <para>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <command>managed-keys</command>
+      statement, or if the pre-configured root key is enabled by using
+      <command>dnssec-validation auto</command>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <command>trusted-keys</command> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <command>trusted-keys</command>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </para>
+    <para>
+      This release includes an updated version of the
+      <filename>bind.keys</filename> file containing the new root
+      key. This file can also be downloaded from
+      <link xmlns:xlink="http://www.w3.org/1999/xlink"
+       xlink:href="https://www.isc.org/bind-keys">
+       https://www.isc.org/bind-keys
+      </link>.
+    </para>
+  </section>
+
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
       <listitem>