add CHANGES and release notes

(cherry picked from commit 5f7a6232d632119e4eb3e5e0e6d2b2c665820b3e)

diff --git a/CHANGES b/CHANGES
index d8c27b00181f62c4629732ac7edaa8f1e1d81b3f..d6b353b0aeda0442b0491cccc9f5b591875b3034 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -48,7 +48,9 @@
 
 4967.  [cleanup]       Add "answer-cookie" to the parser, marked obsolete.
 
-4966.  [placeholder]
+4966.  [func]          Add the ability to not return a DNS COOKIE option
+                       when one is present in the request (answer-cookie no;).
+                       [GL #173]
 
 4965.  [func]          Add support for marking options as deprecated.
                        [GL #322]

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 516af30734bb9f88e18603f05320bfd5dfc6ed44..c5037334eca321df2ad06a0e9dc2d3ce911a7b22 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6112,17 +6112,15 @@ options {
                  options level, not per-view.
                </para>
                <para>
-                 <command>answer-cookie</command> is only available
-                 as a temporary measure, for use when
-                 <command>named</command> shares an IP address
-                 with other servers that do not yet support DNS
-                 COOKIE.  A mismatch between servers on the same
-                 address is not expected to cause operational
-                 problems, but the option to disable COOKIE responses
-                 so that all servers have the same behavior is
-                 provided out of an abundance of caution. DNS COOKIE
-                 is an important security mechanism and should not be
-                 disabled unless absolutely necessary.
+                 <command>answer-cookie</command> is only intended as an
+                 available measure, for use when <command>named</command>
+                 shares an IP address with other servers that do not yet
+                 support DNS COOKIE.  A mismatch between servers on the same
+                 address is not expected to cause operational problems, but the
+                 option to disable COOKIE responses so that all servers have
+                 the same behavior is provided out of an abundance of
+                 caution. DNS COOKIE is an important security mechanism and
+                 should not be disabled unless absolutely necessary.
                </para>
              </listitem>
            </varlistentry>

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 627a3f9f504e70ea0b2bc22dfb6fc29f2d70f55a..8efcdd6564604ee205e3da30de17f0f7c7f94c34 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -201,6 +201,23 @@
          signatures and digest, nor it will validate them.
        </para>
       </listitem>
+      <listitem>
+       <para>
+         Add the ability to not return a DNS COOKIE option when one
+         is present in the request.  To prevent a cookie being returned
+         add 'answer-cookie no;' to named.conf. [GL #173]
+       </para>
+       <para>
+         <command>answer-cookie</command> is only intended as an available
+         measure, for use when <command>named</command> shares an IP address
+         with other servers that do not yet support DNS COOKIE.  A mismatch
+         between servers on the same address is not expected to cause
+         operational problems, but the option to disable COOKIE responses so
+         that all servers have the same behavior is provided out of an
+         abundance of caution. DNS COOKIE is an important security mechanism
+         and should not be disabled unless absolutely necessary.
+       </para>
+      </listitem>
     </itemizedlist>
   </section>