From: Tony Finch Date: Wed, 30 Jan 2019 22:10:12 +0000 (+0000) Subject: add CHANGES and release note X-Git-Tag: v9.15.0~6^2 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=793d358cd62d9336f01403e6c2b170dd27301efb;p=thirdparty%2Fbind9.git add CHANGES and release note --- diff --git a/CHANGES b/CHANGES index f8b2ab0343d..587bd10c726 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5230. [protocol] The SHA-1 hash algorithm is no longer used when + generating DS and CDS records. [GL #1015] + 5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852] 5228. [func] If trusted-keys and managed-keys were configured diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 2781c728a80..732da2f8dad 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -144,6 +144,21 @@ configuration error. [GL #868] + + + DS and CDS records are now generated with SHA-256 digests + only, instead of both SHA-1 and SHA-256. This affects the + default output of dnssec-dsfromkey, the + dsset files generated by + dnssec-signzone, the DS records added to + a zone by dnssec-signzone based on + keyset files, the CDS records added to + a zone by named and + dnssec-signzone based on "sync" timing + parameters in key files, and the checks performed by + dnssec-checkds. + +