Add change entry and release note for #3486

author Matthijs Mekking <matthijs@isc.org>

Wed, 10 Aug 2022 14:52:53 +0000 (16:52 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Mon, 22 Aug 2022 13:55:47 +0000 (15:55 +0200)
author Matthijs Mekking <matthijs@isc.org>
Wed, 10 Aug 2022 14:52:53 +0000 (16:52 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Mon, 22 Aug 2022 13:55:47 +0000 (15:55 +0200)
diff --git a/CHANGES b/CHANGES

index 726e201b064f79b36a0a7e4bc5dec55c3b6eb019..27848a6f953dac9e88b12bd78c7f894c29e7d958 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5947.  [func]          Change dnssec-policy to allow graceful transition from
+                       an NSEC only zone to NSEC3. [GL #3486]
+
  5946.  [bug]           Fix statistics channel's handling of multiple HTTP
                         requests in a single connection which have non-empty
                         request bodies. [GL #3463]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst

index ca4a6b79b6524f04c291779f3e471f8b78e7c6b7..ad45e432bc07d77508ffcf55aa66b98774873d9d 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -38,6 +38,12 @@ Feature Changes
  - Zones using ``dnssec-policy`` now require dynamic DNS or
    ``inline-signing`` to be configured explicitly :gl:`#3381`.
  
+- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY
+  algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail
+  to sign the zone, but keep using NSEC for a little longer until the offending
+  DNSKEY records have been removed from the zone, then switch to using NSEC3.
+  :gl:`#3486`
+
  Bug Fixes
  ~~~~~~~~~
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 10 Aug 2022 14:52:53 +0000 (16:52 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 22 Aug 2022 13:55:47 +0000 (15:55 +0200)
CHANGES		patch \| blob \| blame \| history
doc/notes/notes-current.rst		patch \| blob \| blame \| history