From b232fabe89b2fff68eaef5732835e008211d769e Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 7 Jun 2022 15:44:36 +0200
Subject: [PATCH] Add change and release note for #3381

Because folks want to know.

(cherry picked from commit 2b95c11905a1a5faff9efa97a4f2498aadfa467b)
---
 CHANGES                     | 3 +++
 doc/notes/notes-current.rst | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 3598e9c0ce..df6b87e38d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -34,6 +34,9 @@
 5942.	[bug]		Fix tkey.c:buildquery() function's error handling by
 			adding the missing cleanup code. [GL #3492]
 
+5941.	[func]		Zones with dnssec-policy now require dynamic DNS or
+			inline-siging to be configured explicitly. [GL #3381]
+
 5938.	[bug]		An integer type overflow could cause an assertion
 			failure when freeing memory. [GL #3483]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 0937570736..8e177646b9 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -35,7 +35,8 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- None.
+- Zones using ``dnssec-policy`` now require dynamic DNS or
+  ``inline-signing`` to be configured explicitly :gl:`#3381`.
 
 - When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY
   algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail