Release notes and changes for [#2645]

The feature "going insecure gracefully" has been changed.

(cherry picked from commit 75024736a4b0781dff26dcd6bd000f8ec8971a24)

diff --git a/CHANGES b/CHANGES
index d4ccb4c4448ac2e3f2fe2e3c5b5403b56b38832d..ef2a08d36bac7550c8c2740a9499a54ae2340194 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5632.  [func]          Add built-in dnssec-policy "insecure". This is used to
+                       transition a zone from a signed state to a unsigned
+                       state. [GL #2645]
+
 5631.  [bug]           Update ZONEMD to match RFC 8976. [GL #2658]
 
 5630.  [func]          Treat DNSSEC responses with NSEC3 iterations greater

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index e1fca6ebea9c889dbb413b9e09a5a4e58dc3b40b..f9b194de670079d54e58bb5fd301137544328715 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -43,6 +43,14 @@ Feature Changes
 - Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
   :gl:`#2445`
 
+- Zones that want to transition from secure to insecure mode without making it
+  bogus in the process should now first change their ``dnssec-policy`` to
+  ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
+  been removed from the zone (in a timely manner), the ``dnssec-policy`` can
+  be set to ``none`` (or be removed from the configuration). Setting the
+  ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
+  to be published. :gl:`#2645`
+
 Bug Fixes
 ~~~~~~~~~