CHANGES and release note

diff --git a/CHANGES b/CHANGES
index 12d2fd6a9496d74d45ea3d25ed1c3db9a46ab4d1..9f211b68193a5f4e1dcb6f635a6ea55b2f174f74 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+4957.  [func]          The default setting for "dnssec-validation" is now
+                       "auto", which activates DNSSEC validation using the
+                       IANA root key. (The default can be changed back to
+                       "yes", which activates DNSSEC validation only when keys
+                       are explicitly configured in named.conf, by building
+                       BIND with "configure --disable-auto-validation".)
+                       [GL #30]
+
 4956.  [func]          Change isc_random() to be just PRNG using xoshiro128**,
                        and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 30ca51b601d80723d801d0f54f2417f208da701f..5032df3741023003d0f20942aa30b4eb6fc2ccfd 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -196,6 +196,17 @@
          resort. [GL #221]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         The default setting for <command>dnssec-validation</command> is
+         now <userinput>auto</userinput>, which activates DNSSEC
+         validation using the IANA root key. (The default can be changed
+         back to <userinput>yes</userinput>, which activates DNSSEC
+         validation only when keys are explicitly configured in
+         <filename>named.conf</filename>, by building BIND with
+         <command>configure --disable-auto-validation</command>.) [GL #30]
+       </para>
+      </listitem>
       <listitem>
        <para>
          BIND can no longer be built without DNSSEC support. A cryptography