CHANGES, release notes

CHANGES

@@ -1,3 +1,12 @@
+5319.	[func]		Trust anchors can now be configured using DS
+			format to represent a key digest, by using the
+			new "initial-ds" or "static-ds" keywords in
+			the "dnssec-keys" statement.
+
+			Note: DNSKEY-format and DS-format trust anchors
+			cannot both be used for the same domain name.
+			[GL #622]
+
 5318.	[cleanup]	The DNSSEC validation code has been refactored
 			for clarity and to reduce code duplication.
 			[GL #622]

doc/arm/notes-9.15.6.xml

@@ -33,6 +33,27 @@
           policy used by <command>dnssec-keymgr</command>.) [GL #1134]
         </para>
       </listitem>
+      <listitem>
+	<para>
+	  Two new keywords have been added to the
+	  <command>dnssec-keys</command> statement:
+	  <command>initial-ds</command> and <command>static-ds</command>.
+	  These allow the use of trust anchors in DS format instead of
+	  DNSKEY format.  DS format allows trust anchors to be configured
+	  for keys that have not yet been published; this is the format
+	  used by IANA when announcing future root keys.
+	</para>
+	<para>
+	  As with the <command>initial-key</command> and
+	  <command>static-key</command> keywords, <command>initial-ds</command>
+	  configures a dynamic trust anchor to be maintained via RFC 5011, and
+	  <command>static-ds</command> configures a permanent trust anchor.
+	</para>
+	<para>
+	  (Note: Currently, DNSKEY-format and DS-format trust anchors
+	  cannot both be used for the same domain name.) [GL #6] [GL #622]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>