[v9_11] release note about new root key

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index cc7e6ff6f33ad6fffba5e789ffc52f2996772c6a..e1c2e5d726ba50d81221521a423ed8905eaee058 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -33,6 +33,35 @@
     </para>
   </section>
 
+  <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
+    <para>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <command>managed-keys</command>
+      statement, or if the pre-configured root key is enabled by using
+      <command>dnssec-validation auto</command>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <command>trusted-keys</command> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <command>trusted-keys</command>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </para>
+    <para>
+      This release includes an updated version of the
+      <filename>bind.keys</filename> file containing the new root
+      key. This file can also be downloaded from
+      <link xmlns:xlink="http://www.w3.org/1999/xlink"
+       xlink:href="https://www.isc.org/bind-keys">
+       https://www.isc.org/bind-keys
+      </link>.
+    </para>
+  </section>
+
   <section xml:id="relnotes_license"><info><title>License Change</title></info>
     <para>
       With the release of BIND 9.11.0, ISC changed to the open