From 1befaa5d450d80b8775c58b45bb3c5d5d2cdea97 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 20 Jul 2021 11:40:39 +0200
Subject: [PATCH] Add release note and change entry for [#1551]

---
 CHANGES                     | 7 +++++++
 doc/notes/notes-current.rst | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGES b/CHANGES
index 9707cda419..85e4fd90b9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5690.	[func]		Change "dnssec-signzone" to honor the Predecessor and
+			Successor metadata values, and allow for gradual
+			replacement of RRSIGs. In other words, don't sign
+			with the successor key if there is an RRSIG from the
+			predecessor key that does not need to be refreshed.
+			[GL #1551]
+
 5689.	[placeholder]
 
 5688.	[bug]		Inline and dnssec-policy zones could fail to apply
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c6a5892d0e..b0fa7eaab8 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -66,6 +66,11 @@ Feature Changes
   record.  This allows a clean rollover from one DNS provider to another
   when using a multiple-signer DNSSEC configuration. :gl:`#2710`
 
+- ``dnssec-signzone`` is now able to retain signatures from inactive
+  predecessor keys without introducing additional signatures from the successor
+  key. This allows for a gradual replacement of RRSIGs as they reach expiry.
+  :gl:`#1551`
+
 Bug Fixes
 ~~~~~~~~~