From 41eb7186c4aebefee7b8eee047b218909395a7e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 2 Oct 2025 18:13:26 +0200 Subject: [PATCH] Reorder release notes --- doc/notes/notes-9.20.14.rst | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/doc/notes/notes-9.20.14.rst b/doc/notes/notes-9.20.14.rst index b2e177ebd1..7a44e85bb5 100644 --- a/doc/notes/notes-9.20.14.rst +++ b/doc/notes/notes-9.20.14.rst @@ -78,6 +78,18 @@ New Features Bug Fixes ~~~~~~~~~ +- Missing DNSSEC information when CD bit is set in query. + + The RRSIGs for glue records were not being cached correctly for CD=1 + queries. This has been fixed. :gl:`#5502` + +- :option:`rndc sign` during ZSK rollover will now replace signatures. + + When performing a ZSK rollover, if the new DNSKEY is omnipresent, the + :option:`rndc sign` command now signs the zone completely with the + successor key, replacing all zone signatures from the predecessor key + with new ones. :gl:`#5483` + - Use signer name when disabling DNSSEC algorithms. :any:`disable-algorithms` could cause DNSSEC validation failures when @@ -89,18 +101,6 @@ Bug Fixes the algorithm is disabled for that zone, using deepest match when there are multiple :any:`disable-algorithms` clauses. :gl:`#5165` -- :option:`rndc sign` during ZSK rollover will now replace signatures. - - When performing a ZSK rollover, if the new DNSKEY is omnipresent, the - :option:`rndc sign` command now signs the zone completely with the - successor key, replacing all zone signatures from the predecessor key - with new ones. :gl:`#5483` - -- Missing DNSSEC information when CD bit is set in query. - - The RRSIGs for glue records were not being cached correctly for CD=1 - queries. This has been fixed. :gl:`#5502` - - Preserve cache when reload fails and reload the server again. This fixes an issue where failing to reconfigure/reload the server