From 3edf86ac26a392d46feae5e3284e6df8f2fe5019 Mon Sep 17 00:00:00 2001
From: Tinderbox User <tbox@isc.org>
Date: Sun, 5 Feb 2017 06:48:29 +0000
Subject: [PATCH] regen v9_10

---
 doc/arm/Bv9ARM.ch09.html | 31 +++++++++++++++++++++++++++++++
 doc/arm/Bv9ARM.html      |  1 +
 doc/arm/notes.html       | 30 ++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index d4eec7408a..db82cee451 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -49,6 +49,7 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -88,6 +89,36 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+    <p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+    <p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+	https://www.isc.org/bind-keys
+      </a>.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 2a80a9b39e..9ac8fd27c7 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -244,6 +244,7 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 8ef41e2196..43cdc00f78 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -50,6 +50,36 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+    <p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+    <p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+	https://www.isc.org/bind-keys
+      </a>.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">