CHANGES, release notes

diff --git a/CHANGES b/CHANGES
index 2577b5ca2e9c28fe3e6b578e9c0dadb94045df31..431b7846cbdc1e591f82be6e35022fdd96499aa0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
 5229.  [protocol]      Enforce known SSHFP fingerprint lengths. [GL #852]
 
+5228.  [cleanup]       If trusted-keys and managed-keys are configured
+                       simultaneously for the same name, the key cannot
+                       be rolled automatically. This configuration now
+                       logs a warning. [GL #868]
+
 5224.  [bug]           Only test provide-ixfr on TCP streams. [GL #991]
 
 5222.  [bug]           'delv -t ANY' could leak memory. [GL #983]

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 8f71498f8632236dc3dbe25660229ba91791b3eb..00ce8f176db021e1b8d08b8c94a1895b1cd2c4e2 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -96,7 +96,19 @@
     <itemizedlist>
       <listitem>
        <para>
-         None.
+         When <command>trusted-keys</command> and
+         <command>managed-keys</command> are both configured for the
+         same name, or when <command>trusted-keys</command> is used to
+         configure a trust anchor for the root zone and
+         <command>dnssec-validation</command> is set to
+         <literal>auto</literal>, automatic RFC 5011 key
+         rollovers will fail.
+       </para>
+       <para>
+         This combination of settings was never intended to work,
+         but there was no check for it in the parser. This has been
+         corrected; a warning is now logged. (In BIND 9.15 and
+         higher this error will be fatal.) [GL #868]
        </para>
       </listitem>
     </itemizedlist>