Add inline-signing to config examples

Add 'inline-signing yes;' to configuration examples to have working copy paste configurations. (cherry picked from commit 18d230a584)
2025-08-30 14:07:59 +00:00 · 2022-09-27 12:04:37 +02:00
parent d1a01d88f9
commit 2abb2b638a
3 changed files with 12 additions and 1 deletions
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@@ -99,9 +99,13 @@ up-to-date DNSSEC practices:
        type primary;
        file "dnssec.example.db";
        dnssec-policy default;
+        inline-signing yes;
    };

-This single line is sufficient to create the necessary signing keys, and generate
+The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or
+:any:`inline-signing` to be enabled. In the example above we use the latter.
+
+This is sufficient to create the necessary signing keys, and generate
 ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
 care of any DNSSEC maintenance for this zone, including replacing signatures
 that are about to expire and managing :ref:`key_rollovers`.
@@ -171,6 +175,7 @@ by configuring parental agents:
        type primary;
        file "dnssec.example.db";
        dnssec-policy default;
+        inline-signing yes;
        parental-agents { 192.0.2.1; };
    };

--- a/doc/dnssec-guide/recipes.rst
+++ b/doc/dnssec-guide/recipes.rst
@@ -63,6 +63,7 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1
       file "db/example.com.db";
       key-directory "keys/example.com";
       dnssec-policy default;
+       inline-signing yes;
       allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
   };

@@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its
       file "db/example.com.db";
       key-directory "keys/example.com";
       dnssec-policy default;
+       inline-signing yes;
       allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
   };

@@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed:
       type primary;
       file "db/example.com.db";
       dnssec-policy "default";
+       inline-signing yes;
   };

 To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
@@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
       type primary;
       file "db/example.com.db";
       dnssec-policy "insecure";
+       inline-signing yes;
   };

 Then use :option:`rndc reload` to reload the zone.
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -835,6 +835,7 @@ this example, we'll add it to the :any:`zone` statement:
   zone "example.net" in {
       ...
       dnssec-policy standard;
+       inline-signing yes;
       ...
   };

@@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt:
   zone "example.net" in {
       ...
       dnssec-policy standard;
+       inline-signing yes;
       parental-agents { "net"; };
       ...
   };