add CHANGES and release notes

(cherry picked from commit 5f7a6232d632119e4eb3e5e0e6d2b2c665820b3e)

diff --git a/CHANGES b/CHANGES
index eb56f7620fa1c617c8b96c0525aad29f4b71762d..3ba3146f7b0d704d54e66f26965be785306f7547 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4966.  [func]          Add the ability to not return a DNS COOKIE option
+                       when one is present in the request (answer-cookie no;).
+                       [GL #173]
+
 4965.  [func]          Add support for marking options as deprecated.
                        [GL #322]
 

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 441505c24b3a6d37dd0377d493cf48df3a3cda00..fbabb197d606a87ccf64e5bc2bddaf5c7800bc99 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -128,6 +128,26 @@
          'root-key-sentinel no;' to named.conf. [GL #37]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         Add the ability to not return a DNS COOKIE option when one
+         is present in the request.  To prevent a cookie being returned
+         add 'answer-cookie no;' to named.conf. [GL #173]
+       </para>
+       <para>
+         <command>answer-cookie</command> is only available as a
+         temporary measure, for use when <command>named</command>
+         shares an IP address with other servers that do not yet
+         support DNS COOKIE.  A mismatch between servers on the
+         same address is not expected to cause operational problems,
+         but the option to disable COOKIE responses so that all
+         servers have the same behavior is provided out of an
+         abundance of caution. DNS COOKIE is an important security
+         mechanism and should not be disabled unless absolutely
+         necessary.  The <command>answer-cookie</command> option
+         is obsolete as of BIND 9.13.
+       </para>
+      </listitem>
     </itemizedlist>
   </section>