diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 3d9ef761a3..e36559a2a9 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -558,7 +558,9 @@ Only sign the DNSKEY RRset with key-signing keys, and omit - signatures from zone-signing keys. + signatures from zone-signing keys. (This is similar to the + dnskey-ksk-only yes; zone option in + named.) @@ -569,7 +571,9 @@ Ignore KSK flag on key when determining what to sign. This causes KSK-flagged keys to sign all records, not just the - DNSKEY RRset. + DNSKEY RRset. (This is similar to the + update-check-ksk no; zone option in + named.) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index a6564ccbe9..4ce37a3b73 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -6459,7 +6459,9 @@ options { used to sign the DNSKEY RRset at the zone apex. However, if this option is set to no, then the KSK bit is ignored; KSKs are treated as if they - were ZSKs and are used to sign the entire zone. + were ZSKs and are used to sign the entire zone. This is + similar to the dnssec-signzone -z + command line option. When this option is set to yes, there @@ -6482,6 +6484,10 @@ options { to sign the DNSKEY RRset at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset. + This is similar to the + dnssec-signzone -x command line option. + + The default is no. If update-check-ksk is set to no, this option is ignored.