+5248. [func] To clarify the configuration of DNSSEC keys,
+ the "managed-keys" and "trusted-keys" options
+ have both been deprecated. The new "dnssec-keys"
+ statement can now be used for all trust anchors,
+ with the keywords "iniital-key" or "static-key"
+ to indicate whether the configured trust anchor
+ should be used for initialization of RFC 5011 key
+ management, or as a permanent trust anchor.
+
+ The "static-key" keyword will generate a warning if
+ used for the root zone.
+
+ Configurations using "trusted-keys" or "managed-keys"
+ will continue to work with no changes, but will
+ generate warnings in the log. In a future release,
+ these options will be marked obsolete. [GL #6]
+
5247. [cleanup] The 'cleaning-interval' option has been removed.
[GL !1731]
<itemizedlist>
<listitem>
<para>
- When <command>trusted-keys</command> and
- <command>managed-keys</command> were both configured for the
- same name, or when <command>trusted-keys</command> was used to
+ The new <command>dnssec-keys</command> statement can now be
+ used to configure all DNSSEC trust anchors. The older
+ <command>managed-keys</command> statement is a synonym for
+ <command>dnssec-keys</command>, retained for backward
+ compatibility. Both statements can now use the
+ keyword <command>static-key</command> in place of
+ <command>initial-key</command> if it is necessary to
+ configure trusted keys for which RFC 5011 trust anchor
+ maintenance is not to be used. [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> will now log a warning if
+ a static key is configured for the root zone, or if
+ any key is configured for "dlv.isc.org", which has been shut
+ down. [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
configure a trust anchor for the root zone and
<command>dnssec-validation</command> was set to the default
value of <literal>auto</literal>, automatic RFC 5011 key
</itemizedlist>
</section>
+ <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ In order to clarify the configuration of DNSSEC keys,
+ the <command>trusted-keys</command> and
+ <command>managed-keys</command> statement has been
+ deprecated. The new <command>dnssec-keys</command> should
+ be used for both types of keys.
+ </para>
+ <para>
+ When used with the keyword <command>initial-key</command>,
+ <command>dnssec-keys</command> has the same behavior as
+ <command>managed-keys</command>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </para>
+ <para>
+ When used with the new keyword <command>static-key</command>, it
+ has the same behavior as <command>trusted-keys</command>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. This usage is not recommended for the root key.
+ [GL #6]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
projects / thirdparty / bind9.git / commitdiff
