From 4eb0897c909a7643b30bdc46c21ab354d5f66689 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 30 Apr 2018 18:17:35 -0700
Subject: [PATCH] CHANGES, release notes, README

---
 CHANGES           | 4 ++++
 README            | 3 +++
 README.md         | 3 +++
 doc/arm/notes.xml | 8 ++++++++
 4 files changed, 18 insertions(+)

diff --git a/CHANGES b/CHANGES
index 6956376258..f032524123 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5010.	[func]		New "validate-except" option specifies a list of
+			domains beneath which DNSSEC validation should not
+			be performed. [GL #237]
+
 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
 			error queue was not logged. [GL #476]
 
diff --git a/README b/README
index c9f5421264..ba5f29d9f1 100644
--- a/README
+++ b/README
@@ -114,6 +114,9 @@ of changes from BIND 9.12 and earlier releases. New features include:
     subject to DNSSEC validation and are not treated as authoritative data
     when answering. This makes it easier to configure a local copy of the
     root zone as described in RFC 7706.
+  * QNAME minimization is now supported
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
 
 In addition, cryptographic support has been modernized. BIND now uses the
 best available pseudo-random number generator for the platform on which
diff --git a/README.md b/README.md
index b283ff98c8..e06941f40d 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,9 @@ include:
   DNSSEC validation and are not treated as authoritative data when
   answering. This makes it easier to configure a local copy of the root
   zone as described in RFC 7706.
+* QNAME minimization is now supported
+* The "validate-except" option allows configuration of domains below which
+  DNSSEC validation should not be performed.
 
 In addition, cryptographic support has been modernized. BIND now uses the
 best available pseudo-random number generator for the platform on which
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 8a1f647af5..de2760cbe5 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -143,6 +143,14 @@
 	  loss of security.
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The <command>validate-except</command> option specifies a list of
+	  domains beneath which DNSSEC validation should not be performed,
+	  regardless of whether a trust anchor has been configured above
+	  them. [GL #237]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>