Add change and release notes [#2710]

(cherry picked from commit ba5869943dbf6becc1677f78eaec338c50051412)

diff --git a/CHANGES b/CHANGES
index 12cb33cee2865e7ad10b9c1ff288ab6e0ff67d03..6d442270289c83d1c5ebf3ae6e487e1891c1ddac 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5681.  [func]          Relax the "zone_cdscheck" function to allow CDS and
+                       CDNSKEY records in the zone that do not match an
+                       existing DNSKEY record, so long as the algorithm
+                       does match. This allows a clean rollover from one
+                       provider to another in a multi-signer DNSSEC
+                       configuration. [GL #2710].
+
 5679.  [bug]           Disable setting the thread affinity. [GL #2822]
 
 5678.  [bug]           The "check DS" code failed to release all resources upon

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index e13e147ae435562ae889ac503fd5e43a8d84ca8b..7f94b682c22a5a5e756c01fbaccf4ee749aa5738 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -51,6 +51,12 @@ Feature Changes
   maximum payload size, so a a useful default for maximum DNS/UDP payload size
   on reliable networks would be 1432. [GL #2183]
 
+- CDS and CDNSKEY records may now be published in a zone without the
+  requirement that they exactly match an existing DNSKEY record, so long
+  the zone is signed with an algorithm represented in the CDS or CDNSKEY
+  record.  This allows a clean rollover from one DNS provider to another
+  when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+
 Bug Fixes
 ~~~~~~~~~