From 85f966a8f6795ae934d55ad07159277b3bbd91a2 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 24 Jan 2024 14:45:29 +0000 Subject: [PATCH] Document a specific 'dnssec-validation yes' usage incompatibility Static trust anchor for the root zone can not be used with 'dnssec-validation auto'. --- doc/arm/reference.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 57931b9a6b..14bedfaea0 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2572,7 +2572,10 @@ Boolean Options If set to ``auto``, DNSSEC validation is enabled and a default trust anchor for the DNS root zone is used. This trust anchor is provided as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key - management. + management. Adding an explicit static key using the :any:`trust-anchors` + statement with a ``static-key`` anchor type (or using the deprecated + :any:`trusted-keys` statement) for the root zone is not supported with the + ``auto`` setting, and is treated as a configuration error. If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be manually configured using a :any:`trust-anchors` statement (or the