Add change and release notes [#2710]

diff --git a/CHANGES b/CHANGES
index 096db9f8f54bf3e385293197a337119cfb69790e..f3ee05567d64e5e6d510f60c4434fd1945fbcf74 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,15 @@
+5681.  [func]          Relax the "zone_cdscheck" function to allow CDS and
+                       CDNSKEY records in the zone that do not match an
+                       existing DNSKEY record, so long as the algorithm
+                       does match. This allows a clean rollover from one
+                       provider to another in a multi-signer DNSSEC
+                       configuration. [GL #2710].
+
 5680.  [bug]           Fix a crash in DoH code caused by GET requests without
                        query strings. [GL !5268]
 
 5679.  [bug]           Disable setting the thread affinity. [GL #2822]
 
-
 5678.  [bug]           The "check DS" code failed to release all resources upon
                        named shutdown when a refresh was in progress. This has
                        been fixed. [GL #2811]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 4a1586c40e22277e84525111b5fbee4ab82f90b2..500c89b43d1131ba3a56651924d828cd9a34cd00 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -64,6 +64,12 @@ Feature Changes
   that incorrectly echo back the query message with the RCODE field
   set to FORMERR and the QR bit set to 1. :gl:`#2249`
 
+- CDS and CDNSKEY records may now be published in a zone without the
+  requirement that they exactly match an existing DNSKEY record, so long
+  the zone is signed with an algorithm represented in the CDS or CDNSKEY
+  record.  This allows a clean rollover from one DNS provider to another
+  when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+
 Bug Fixes
 ~~~~~~~~~