From: Tinderbox User <tbox@isc.org>
Date: Sun, 5 Feb 2017 06:45:22 +0000 (+0000)
Subject: regen v9_11
X-Git-Tag: v9.11.1rc1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33c9436ef1a43d3c0fc3d9be9b4b0509daa83223;p=thirdparty%2Fbind9.git

regen v9_11
---

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b742b1599ab..5e37b72d9c6 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -40,6 +40,7 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -80,6 +81,36 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+    <p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+    <p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+	https://www.isc.org/bind-keys
+      </a>.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
     <p>
       With the release of BIND 9.11.0, ISC changed to the open
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 039cadd0519..a5939af26ad 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -245,6 +245,7 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 159acbb2ee2..1ad6efafcc8 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -42,6 +42,36 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+    <p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+    <p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+	https://www.isc.org/bind-keys
+      </a>.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
     <p>
       With the release of BIND 9.11.0, ISC changed to the open