CHANGES and release note for [GL #2918]

diff --git a/CHANGES b/CHANGES
index bf6ebe77e6ff8d0fd69d40ca7f3b5fab6529ba62..0915411fd33c053b43e06bb561f8dbac3baa10b2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,12 @@
+5929.  [bug]           The "max-zone-ttl" option in "dnssec-policy" was
+                       not fully effective; it was used for timing key
+                       rollovers but did not actually place an upper limit
+                       on TTLs when loading a zone. This has been
+                       corrected, and the documentation has been clarified
+                       to indicate that the old "max-zone-ttl" zone option
+                       is now ignored when "dnssec-policy" is in use.
+                       [GL #2918]
+
 5924.  [func]          When it's necessary to use AXFR to respond to an
                        IXFR request, a message explaining the reason
                        is now logged at level info. [GL #2683]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 342bc17ee23b7c3a4ed9d314bc3234a99e3b48a3..e5182971841963138d823ecc29e54403c880a535 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -43,3 +43,11 @@ Bug Fixes
 - Non-dynamic zones that inherit dnssec-policy from the view or
   options level were not marked as inline-signed, and thus were never
   scheduled to be re-signed. This is now fixed. :gl:`#3438`
+
+- The old ``max-zone-ttl`` zone option was meant to be superseded by
+  the ``max-zone-ttl`` option in ``dnssec-policy``; however, the latter
+  option was not fully effective. This has been corrected: zones will
+  not load if they contain TTLs greater than the limit configured in
+  ``dnssec-policy``. In zones with both the old ``max-zone-ttl``
+  option and ``dnssec-policy`` configured, the old option will be
+  ignored, and a warning will be generated. :gl:`#2918`