Add a note about pregenarating keys for key rolls

With dnssec-policy you can pregenerate keys and if they are eligible, rather than creating a new key, a key is selected from the pregenerated keys. A key is eligible if it is unused, i.e it has no key timing metadata set. (cherry picked from commit 9880bfff63d853629afb85394a65dd4eaf9f90b0)
2025-08-29 05:28:00 +00:00 · 2025-04-11 13:16:39 -05:00 · 2025-04-11 13:16:39 -05:00 · 9d97cfd594
commit 9d97cfd594
parent 51e51d5ea8
1 changed files with 5 additions and 0 deletions
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@ -196,6 +196,11 @@ To roll a key sooner than scheduled, or to roll a key that
 has an unlimited lifetime, use:
 :option:`rndc dnssec -rollover -key 12345 dnssec.example. <rndc dnssec>`.

+You can pregenerate keys and save them in the key directory. As long as the
+key has no timing metadata set, it may be selected as a successor in the
+upcoming key rollover. To pregenerate keys without setting key timing metadata,
+use the `-G` option: ``dnssec-keygen -G dnssec.example.``.
+
 To revert a signed zone back to an insecure zone, change
 the zone configuration to use the built-in "insecure" policy. Detailed
 instructions are described in :ref:`revert_to_unsigned`.