From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 10 Aug 2022 14:52:53 +0000 (+0200)
Subject: Add change entry and release note for #3486
X-Git-Tag: v9.19.5~26^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f2a15b52ac1096ce59437c35dbebee57655d9ee;p=thirdparty%2Fbind9.git

Add change entry and release note for #3486

News worthy.
---

diff --git a/CHANGES b/CHANGES
index 726e201b064..27848a6f953 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5947.	[func]		Change dnssec-policy to allow graceful transition from
+			an NSEC only zone to NSEC3. [GL #3486]
+
 5946.	[bug]		Fix statistics channel's handling of multiple HTTP
 			requests in a single connection which have non-empty
 			request bodies. [GL #3463]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ca4a6b79b65..ad45e432bc0 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -38,6 +38,12 @@ Feature Changes
 - Zones using ``dnssec-policy`` now require dynamic DNS or
   ``inline-signing`` to be configured explicitly :gl:`#3381`.
 
+- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY
+  algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail
+  to sign the zone, but keep using NSEC for a little longer until the offending
+  DNSKEY records have been removed from the zone, then switch to using NSEC3.
+  :gl:`#3486`
+
 Bug Fixes
 ~~~~~~~~~