From: Mark Andrews <marka@isc.org>
Date: Fri, 8 Jun 2018 06:17:27 +0000 (+1000)
Subject: add CHANGES and release notes
X-Git-Tag: v9.11.4rc1~8^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae0f6f2073dbda768dab82d8956aef8f8090db11;p=thirdparty%2Fbind9.git

add CHANGES and release notes

(cherry picked from commit 5f7a6232d632119e4eb3e5e0e6d2b2c665820b3e)
---

diff --git a/CHANGES b/CHANGES
index eb56f7620fa..3ba3146f7b0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4966.	[func]		Add the ability to not return a DNS COOKIE option
+			when one is present in the request (answer-cookie no;).
+			[GL #173]
+
 4965.	[func]		Add support for marking options as deprecated.
 			[GL #322]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 441505c24b3..fbabb197d60 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -128,6 +128,26 @@
 	  'root-key-sentinel no;' to named.conf. [GL #37]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Add the ability to not return a DNS COOKIE option when one
+	  is present in the request.  To prevent a cookie being returned
+	  add 'answer-cookie no;' to named.conf. [GL #173]
+	</para>
+	<para>
+	  <command>answer-cookie</command> is only available as a
+	  temporary measure, for use when <command>named</command>
+	  shares an IP address with other servers that do not yet
+	  support DNS COOKIE.  A mismatch between servers on the
+	  same address is not expected to cause operational problems,
+	  but the option to disable COOKIE responses so that all
+	  servers have the same behavior is provided out of an
+	  abundance of caution. DNS COOKIE is an important security
+	  mechanism and should not be disabled unless absolutely
+	  necessary.  The <command>answer-cookie</command> option
+	  is obsolete as of BIND 9.13.
+	</para>
+      </listitem>
     </itemizedlist>
   </section>