From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 20 Jul 2021 09:40:39 +0000 (+0200)
Subject: Add release note and change entry for [#1551]
X-Git-Tag: v9.17.18~43^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=1befaa5d450d80b8775c58b45bb3c5d5d2cdea97;p=thirdparty%2Fbind9.git

Add release note and change entry for [#1551]
---

diff --git a/CHANGES b/CHANGES
index 9707cda4196..85e4fd90b90 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5690.	[func]		Change "dnssec-signzone" to honor the Predecessor and
+			Successor metadata values, and allow for gradual
+			replacement of RRSIGs. In other words, don't sign
+			with the successor key if there is an RRSIG from the
+			predecessor key that does not need to be refreshed.
+			[GL #1551]
+
 5689.	[placeholder]
 
 5688.	[bug]		Inline and dnssec-policy zones could fail to apply
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c6a5892d0ed..b0fa7eaab87 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -66,6 +66,11 @@ Feature Changes
   record.  This allows a clean rollover from one DNS provider to another
   when using a multiple-signer DNSSEC configuration. :gl:`#2710`
 
+- ``dnssec-signzone`` is now able to retain signatures from inactive
+  predecessor keys without introducing additional signatures from the successor
+  key. This allows for a gradual replacement of RRSIGs as they reach expiry.
+  :gl:`#1551`
+
 Bug Fixes
 ~~~~~~~~~