From bfd646795d4752b55db6fc33d248e68ad03555c0 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 7 Feb 2019 22:45:28 -0800
Subject: [PATCH] CHANGES, release notes

---
 CHANGES           |  5 +++++
 doc/arm/notes.xml | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index da90dc5a42..8878e399b5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
 
+5228.	[cleanup]	If trusted-keys and managed-keys are configured
+			simultaneously for the same name, the key cannot
+			be rolled automatically. This configuration now
+			logs a warning. [GL #868]
+
 5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
 
 5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 1d8747ae95..76275af272 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -123,7 +123,19 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  None.
+	  When <command>trusted-keys</command> and
+	  <command>managed-keys</command> are both configured for the
+	  same name, or when <command>trusted-keys</command> is used to
+	  configure a trust anchor for the root zone and
+	  <command>dnssec-validation</command> is set to the default
+	  value of <literal>auto</literal>, automatic RFC 5011 key
+	  rollovers will fail.
+	</para>
+	<para>
+	  This combination of settings was never intended to work,
+	  but there was no check for it in the parser. This has been
+	  corrected; a warning is now logged. (In BIND 9.15 and
+	  higher this error will be fatal.) [GL #868]
 	</para>
       </listitem>
     </itemizedlist>