From: Matthijs Mekking Date: Tue, 8 Dec 2020 08:42:51 +0000 (+0100) Subject: Add documentation and notes for [#1750] X-Git-Tag: v9.16.11~11^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=decdd1d3e17a8825870f7a84ffd8664c7b087e4d;p=thirdparty%2Fbind9.git Add documentation and notes for [#1750] (cherry picked from commit 7825d8f916bcfb0e725f0db5402035fd5c48a432) --- diff --git a/CHANGES b/CHANGES index 85aca0a12c4..0d42eb72cdc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,12 @@ +5553. [bug] When reconfiguring named, removing "auto-dnssec" + actually did not turn off DNSSEC maintenance. + This has been fixed. [GL #2341] + +5552. [func] When switching to "dnssec-policy none;", named + now permits a safe transition to insecure mode + and publishes the CDS and CDNSKEY DELETE + records, as described in RFC 8078. [GL #1750] + 5551. [bug] Only assign threads to CPUs in the CPU affinity set. Thanks to Ole Bjørn Hessen. [GL #2245] diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index e7cada0257f..57d023dd2aa 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -97,6 +97,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC7793 RFC7830 [15] RFC7929 + RFC8078 [20] RFC8080 No longer supported diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3d336b7d993..7086eae2aeb 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -34,6 +34,12 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ +- It is now possible to transition a zone from secure to insecure mode + without making it bogus in the process: changing to ``dnssec-policy + none;`` also causes CDS and CDNSKEY DELETE records to be published, to + signal that the entire DS RRset at the parent must be removed, as + described in RFC 8078. [GL #1750] + - The new networking code introduced in BIND 9.16 (netmgr) was overhauled in order to make it more stable, testable, and maintainable. [GL #2321]