+5632. [func] Add built-in dnssec-policy "insecure". This is used to
+ transition a zone from a signed state to a unsigned
+ state. [GL #2645]
+
5631. [bug] Update ZONEMD to match RFC 8976. [GL #2658]
5630. [func] Treat DNSSEC responses with NSEC3 iterations greater
configured in an NSEC3 zones to 150. :gl:`#2642`
- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
- [GL #2445]
+ :gl:`#2445`
+
+- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
+ the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
+
+- Zones that want to transition from secure to insecure mode without making it
+ bogus in the process should now first change their ``dnssec-policy`` to
+ ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
+ been removed from the zone (in a timely manner), the ``dnssec-policy`` can
+ be set to ``none`` (or be removed from the configuration). Setting the
+ ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
+ to be published. :gl:`#2645`
Bug Fixes
~~~~~~~~~