From 61996344fed3fa5a2a095653c38aeb735c79ff53 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Sat, 16 Sep 2017 12:06:54 -0700
Subject: [PATCH] [master] clarify CHANGES, add relnote

---
 CHANGES           | 19 +++++++++----------
 doc/arm/notes.xml | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index b42cedc441..09b2629ec7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,13 +1,12 @@
-4724.	[func]		Added the --enable-crypto-rand configure flag
-			(yes by default): when the random file (-r command
-			line argument) is set to "openssl" the entropy/random
-			source is the OpenSSL RAND routine. This is suitable
-			for virtual machine environment without a hardware
-			random generator but makes random generation not
-			reproducible. Note with native PKCS#11 the
-			entropy/random source will unconditionally be
-			C_GenerateRandom() i.e. the PKCS#11 random API.
-			[RT #31459]
+4724.	[func]		When the random device (i.e. the "random-device"
+			option in named.conf, or the -r command line option
+			in various tools) is set to "openssl", the OpenSSL
+			RAND routine is used as the source of entropy/
+			randomness. This is suitable for a virtual
+			machine environment without a hardware random
+			number generator. This behavior can be overridden
+			by using "configure --disable-crypto-rand" or
+			native PKCS#11. [RT #31459]
 
 4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
 			as DNSSECdropped. [RT #46002]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index c21ea3f13a..ea7049204f 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -363,6 +363,24 @@
 	  "[ECS <replaceable>address/source/scope</replaceable>]".
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  When <command>named</command> is linked with OpenSSL, the
+	  OpenSSL RAND routine can be used as the source of entropy/
+	  randomness by specifying
+	  <command>random-device openssl;</command> in
+	  <filename>named.conf</filename>. It can also be used in tools
+	  such as <command>dnssec-keygen</command>,
+	  <command>tsig-keygen</command>,
+	  and <command>nsupdate</command> by specifying
+	  <command>-r openssl</command> on the command line.
+	  This is suitable for a virtual machine environment without
+	  a hardware random number generator.
+	  This behavior can be overridden by using
+	  <command>configure --disable-crypto-rand</command> or
+	  building with native PKCS#11. [RT #31459]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>