From 087eab022f81fd826612f29175be33b75a5827f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Mon, 14 May 2018 12:43:19 +0200
Subject: [PATCH] Add release notes.

---
 doc/arm/notes.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index e0a37f8728..f22186bd7d 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -127,11 +127,38 @@
 	  implementation of "rbt") has been removed. [GL #217]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The <command>-r randomdev</command> option to explicitly select
+	  random device has been removed from
+	  <command>ddns-confgen</command>,
+	  <command>rndc-confgen</command>,
+	  <command>nsupdate</command>,
+	  <command>dnssec-confgen</command>, and
+	  <command>dnssec-signzone</command> commands.
+	</para>
+	<para>
+	  The <command>-p</command> option to use pseudo-random data
+	  has been removed from <command>dnssec-signzone</command>
+	  command.
+	</para>
+      </listitem>
     </itemizedlist>
   </section>
 
   <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  BIND will now always you use the best CSPRNG
+	  (cryptographically-secure pseudo-random number generator)
+	  available on the platform where it is compiled.  It will use
+	  arc4random() family of functions on BSDs, getrandom() on
+	  Linux and Solaris, CryptGenRandom on Windows, and the
+	  selected cryptographic library (OpenSSL or PKCS#11) provider
+	  as the last resort. [GL #221]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  BIND can no longer be built without DNSSEC support. A cryptography