add CHANGES and release note

2026-06-09 04:52:05 -04:00 · 2019-01-30 22:10:12 +00:00 · 2019-01-30 22:10:12 +00:00 · 793d358cd6
commit 793d358cd6
parent 8785f6fa34
2 changed files with 18 additions and 0 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
+			generating DS and CDS records. [GL #1015]
+
 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]

 5228.	[func]		If trusted-keys and managed-keys were configured
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -144,6 +144,21 @@
 	  configuration error. [GL #868]
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  DS and CDS records are now generated with SHA-256 digests
+	  only, instead of both SHA-1 and SHA-256. This affects the
+	  default output of <command>dnssec-dsfromkey</command>, the
+	  <filename>dsset</filename> files generated by
+	  <command>dnssec-signzone</command>, the DS records added to
+	  a zone by <command>dnssec-signzone</command> based on
+	  <filename>keyset</filename> files, the CDS records added to
+	  a zone by <command>named</command> and
+	  <command>dnssec-signzone</command> based on "sync" timing
+	  parameters in key files, and the checks performed by
+	  <command>dnssec-checkds</command>.
+	</para>
+      </listitem>
    </itemizedlist>
  </section>