From: Matthijs Mekking Date: Wed, 21 Apr 2021 14:48:24 +0000 (+0200) Subject: Release notes and changes for [#2645] X-Git-Tag: v9.17.13~26^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75024736a4b0781dff26dcd6bd000f8ec8971a24;p=thirdparty%2Fbind9.git Release notes and changes for [#2645] The feature "going insecure gracefully" has been changed. --- diff --git a/CHANGES b/CHANGES index b70b4abcef5..4b4d18e57d9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5632. [func] Add built-in dnssec-policy "insecure". This is used to + transition a zone from a signed state to a unsigned + state. [GL #2645] + 5631. [bug] Update ZONEMD to match RFC 8976. [GL #2658] 5630. [func] Treat DNSSEC responses with NSEC3 iterations greater diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 717b1a7540e..423ecede42b 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -41,7 +41,18 @@ Feature Changes configured in an NSEC3 zones to 150. :gl:`#2642` - Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure. - [GL #2445] + :gl:`#2445` + +- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to + the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347` + +- Zones that want to transition from secure to insecure mode without making it + bogus in the process should now first change their ``dnssec-policy`` to + ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have + been removed from the zone (in a timely manner), the ``dnssec-policy`` can + be set to ``none`` (or be removed from the configuration). Setting the + ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records + to be published. :gl:`#2645` Bug Fixes ~~~~~~~~~