Release notes and changes for [#2645]

The feature "going insecure gracefully" has been changed.
2026-05-28 04:34:54 -04:00 · 2021-04-21 16:48:24 +02:00 · 2021-04-21 16:48:24 +02:00 · 75024736a4
commit 75024736a4
parent fadc57d3d0
2 changed files with 16 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+5632.	[func]		Add built-in dnssec-policy "insecure". This is used to
+			transition a zone from a signed state to a unsigned
+			state. [GL #2645]
+
 5631.	[bug]		Update ZONEMD to match RFC 8976. [GL #2658]

 5630.	[func]		Treat DNSSEC responses with NSEC3 iterations greater
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -41,7 +41,18 @@ Feature Changes
  configured in an NSEC3 zones to 150. :gl:`#2642`

 - Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
-  [GL #2445]
+  :gl:`#2445`
+
+- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
+  the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
+
+- Zones that want to transition from secure to insecure mode without making it
+  bogus in the process should now first change their ``dnssec-policy`` to
+  ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
+  been removed from the zone (in a timely manner), the ``dnssec-policy`` can
+  be set to ``none`` (or be removed from the configuration). Setting the
+  ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
+  to be published. :gl:`#2645`

 Bug Fixes
 ~~~~~~~~~