add CHANGES and release note

diff --git a/CHANGES b/CHANGES
index f8b2ab0343dc50320c7c98bba914c2724d1af0da..587bd10c726ad457216cd2a13eadf524caa020b7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5230.  [protocol]      The SHA-1 hash algorithm is no longer used when
+                       generating DS and CDS records. [GL #1015]
+
 5229.  [protocol]      Enforce known SSHFP fingerprint lengths. [GL #852]
 
 5228.  [func]          If trusted-keys and managed-keys were configured

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 2781c728a8055315487190bd36bd77bb6f19777a..732da2f8dad00ba3ac7f328b0a856639b1698cce 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -144,6 +144,21 @@
          configuration error. [GL #868]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         DS and CDS records are now generated with SHA-256 digests
+         only, instead of both SHA-1 and SHA-256. This affects the
+         default output of <command>dnssec-dsfromkey</command>, the
+         <filename>dsset</filename> files generated by
+         <command>dnssec-signzone</command>, the DS records added to
+         a zone by <command>dnssec-signzone</command> based on
+         <filename>keyset</filename> files, the CDS records added to
+         a zone by <command>named</command> and
+         <command>dnssec-signzone</command> based on "sync" timing
+         parameters in key files, and the checks performed by
+         <command>dnssec-checkds</command>.
+       </para>
+      </listitem>
     </itemizedlist>
   </section>