chg: doc: Make inline-signing default value change more clear in documentation

Emphasize more that the `inline-signing` default value has changed in 9.20.0. Merge branch 'matthijs-improve-release-notes-wrt-inline-signing-9.20' into 'bind-9.20' See merge request isc-projects/bind9!9647
2026-06-06 03:32:03 -04:00 · 2024-10-30 16:11:01 +00:00 · 2024-10-30 16:11:01 +00:00 · efc790c715
commit efc790c715
parent b4c79bdcdf 77d54c03dd
1 changed files with 8 additions and 3 deletions
--- a/doc/notes/notes-9.20.0.rst
+++ b/doc/notes/notes-9.20.0.rst
@ -351,11 +351,16 @@ Feature Changes
  :gl:`#4349`

 - The :any:`inline-signing` statement can now also be set inside
-  :any:`dnssec-policy`. The built-in policies ``default`` and
-  ``insecure`` enable the use of :any:`inline-signing`. If
-  :any:`inline-signing` is set at the ``zone`` level, it overrides the
+  :any:`dnssec-policy`. The default is to use :any:`inline-signing`.
+  This also applies to the built-in policies ``default` and ``insecure``.
+  If  :any:`inline-signing` is set at the ``zone`` level, it overrides the
  value set in :any:`dnssec-policy`. :gl:`#3677`

+- Due to the change in default value from ``no`` to ``yes``,
+  DNSSEC-enabled dynamic zones that do not have :any:`inline-signing`
+  explicitly set must now add the option to their configuration with the
+  value ``no`` if they do not want their zone also to be inline-signed.
+
 - Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only
  allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using
  NSEC3 that the policy manages. :gl:`#4363`