Make inline-signing default value change more clear

Emphasize more that the inline-signing default value has changed in 9.20.0.
2026-04-21 06:09:13 -04:00 · 2024-10-16 15:39:01 +02:00 · 2024-10-16 15:39:01 +02:00 · 77d54c03dd
commit 77d54c03dd
parent b4c79bdcdf
1 changed files with 8 additions and 3 deletions
--- a/doc/notes/notes-9.20.0.rst
+++ b/doc/notes/notes-9.20.0.rst
@ -351,11 +351,16 @@ Feature Changes
  :gl:`#4349`

 - The :any:`inline-signing` statement can now also be set inside
-  :any:`dnssec-policy`. The built-in policies ``default`` and
-  ``insecure`` enable the use of :any:`inline-signing`. If
-  :any:`inline-signing` is set at the ``zone`` level, it overrides the
+  :any:`dnssec-policy`. The default is to use :any:`inline-signing`.
+  This also applies to the built-in policies ``default` and ``insecure``.
+  If  :any:`inline-signing` is set at the ``zone`` level, it overrides the
  value set in :any:`dnssec-policy`. :gl:`#3677`

+- Due to the change in default value from ``no`` to ``yes``,
+  DNSSEC-enabled dynamic zones that do not have :any:`inline-signing`
+  explicitly set must now add the option to their configuration with the
+  value ``no`` if they do not want their zone also to be inline-signed.
+
 - Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only
  allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using
  NSEC3 that the policy manages. :gl:`#4363`