Add release note and change entry for [#1551]

diff --git a/CHANGES b/CHANGES
index 9707cda41963e5d137b2110749751da6692fe547..85e4fd90b9060cc1b5ca134c6e7f3a08d538a45f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5690.  [func]          Change "dnssec-signzone" to honor the Predecessor and
+                       Successor metadata values, and allow for gradual
+                       replacement of RRSIGs. In other words, don't sign
+                       with the successor key if there is an RRSIG from the
+                       predecessor key that does not need to be refreshed.
+                       [GL #1551]
+
 5689.  [placeholder]
 
 5688.  [bug]           Inline and dnssec-policy zones could fail to apply

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c6a5892d0ed3513d74d87486b2218e49bdc93e8c..b0fa7eaab8731b4a031515bba824856401cfa7e1 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -66,6 +66,11 @@ Feature Changes
   record.  This allows a clean rollover from one DNS provider to another
   when using a multiple-signer DNSSEC configuration. :gl:`#2710`
 
+- ``dnssec-signzone`` is now able to retain signatures from inactive
+  predecessor keys without introducing additional signatures from the successor
+  key. This allows for a gradual replacement of RRSIGs as they reach expiry.
+  :gl:`#1551`
+
 Bug Fixes
 ~~~~~~~~~