CHANGES, release notes

diff --git a/CHANGES b/CHANGES
index dd36dde318c53427603142be7fb9087190d3c907..1e5b2dd211aee199f078d78f659d7a2284f70396 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5228.  [func]          If trusted-keys and managed-keys were configured
+                       simultaneously for the same name, the key could
+                       not be be rolled automatically. This is now
+                       a fatal configuration error. [GL #868]
+
 5227.  [placeholder]
 
 5226.  [placeholder]

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 18a9cc9c386dce3e9fc8ca5db73a7f8f3241ae6c..2781c728a8055315487190bd36bd77bb6f19777a 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -132,7 +132,16 @@
     <itemizedlist>
       <listitem>
        <para>
-         None.
+         When <command>trusted-keys</command> and
+         <command>managed-keys</command> were both configured for the
+         same name, or when <command>trusted-keys</command> was used to
+         configure a trust anchor for the root zone and
+         <command>dnssec-validation</command> was set to the default
+         value of <literal>auto</literal>, automatic RFC 5011 key
+         rollovers would be disabled. This combination of settings was
+         never intended to work, but there was no check for it in the
+         parser. This has been corrected, and it is now a fatal
+         configuration error. [GL #868]
        </para>
       </listitem>
     </itemizedlist>