CHANGES, release notes, README

CHANGES

+5010.	[func]		New "validate-except" option specifies a list of
+			domains beneath which DNSSEC validation should not
+			be performed. [GL #237]
+
 5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
 			error queue was not logged. [GL #476]

README

@@ -114,6 +114,9 @@ of changes from BIND 9.12 and earlier releases. New features include:
     subject to DNSSEC validation and are not treated as authoritative data
     when answering. This makes it easier to configure a local copy of the
     root zone as described in RFC 7706.
+  * QNAME minimization is now supported
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
 
 In addition, cryptographic support has been modernized. BIND now uses the
 best available pseudo-random number generator for the platform on which

README.md

@@ -131,6 +131,9 @@ include:
   DNSSEC validation and are not treated as authoritative data when
   answering. This makes it easier to configure a local copy of the root
   zone as described in RFC 7706.
+* QNAME minimization is now supported
+* The "validate-except" option allows configuration of domains below which
+  DNSSEC validation should not be performed.
 
 In addition, cryptographic support has been modernized. BIND now uses the
 best available pseudo-random number generator for the platform on which

doc/arm/notes.xml

@@ -143,6 +143,14 @@
 	  loss of security.
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The <command>validate-except</command> option specifies a list of
+	  domains beneath which DNSSEC validation should not be performed,
+	  regardless of whether a trust anchor has been configured above
+	  them. [GL #237]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>