From: Matthijs Mekking Date: Tue, 8 Dec 2020 08:42:51 +0000 (+0100) Subject: Add documentation and notes for [#1750] X-Git-Tag: v9.17.9~19^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7825d8f916bcfb0e725f0db5402035fd5c48a432;p=thirdparty%2Fbind9.git Add documentation and notes for [#1750] --- diff --git a/CHANGES b/CHANGES index 367a14341ac..c5b665997fc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,12 @@ +5553. [bug] When reconfiguring named, removing "auto-dnssec" + actually did not turn off DNSSEC maintenance. + This has been fixed. [GL #2341] + +5552. [func] When switching to "dnssec-policy none;", named + now permits a safe transition to insecure mode + and publishes the CDS and CDNSKEY DELETE + records, as described in RFC 8078. [GL #1750] + 5551. [bug] Only assign threads to CPUs in the CPU affinity set. Thanks to Ole Bjørn Hessen. [GL #2245] diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 07e97353779..c1694c9b164 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -98,6 +98,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC7793 RFC7830 [15] RFC7929 + RFC8078 [20] RFC8080 RFC8880 diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c26e11c9197..8f697929a35 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -34,7 +34,11 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- ``ipv4only.arpa`` is now served when ``dns64`` is configured. [GL #385] +- It is now possible to transition a zone from secure to insecure mode + without making it bogus in the process: changing to ``dnssec-policy + none;`` also causes CDS and CDNSKEY DELETE records to be published, to + signal that the entire DS RRset at the parent must be removed, as + described in RFC 8078. [GL #1750] - When using the ``unixtime`` or ``date`` method to update the SOA serial number, ``named`` and ``dnssec-signzone`` silently fell back to