From: Evan Hunt <each@isc.org>
Date: Wed, 16 May 2018 18:58:52 +0000 (-0700)
Subject: CHANGES and release note
X-Git-Tag: v9.13.1~19^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d91e313337499325306380f4aeda702e7fd7f100;p=thirdparty%2Fbind9.git

CHANGES and release note
---

diff --git a/CHANGES b/CHANGES
index 12d2fd6a949..9f211b68193 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+4957.	[func]		The default setting for "dnssec-validation" is now
+			"auto", which activates DNSSEC validation using the
+			IANA root key. (The default can be changed back to
+			"yes", which activates DNSSEC validation only when keys
+			are explicitly configured in named.conf, by building
+			BIND with "configure --disable-auto-validation".)
+			[GL #30]
+
 4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
 			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 30ca51b601d..5032df37410 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -196,6 +196,17 @@
 	  resort. [GL #221]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The default setting for <command>dnssec-validation</command> is
+	  now <userinput>auto</userinput>, which activates DNSSEC
+	  validation using the IANA root key. (The default can be changed
+	  back to <userinput>yes</userinput>, which activates DNSSEC
+	  validation only when keys are explicitly configured in
+	  <filename>named.conf</filename>, by building BIND with
+	  <command>configure --disable-auto-validation</command>.) [GL #30]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  BIND can no longer be built without DNSSEC support. A cryptography