remove references to dnssec-enable in the documentation

bin/rndc/rndc.docbook

@@ -1078,13 +1078,6 @@
 	  <para>
 	    Enable, disable, or check the current status of
 	    DNSSEC validation.  By default, validation is enabled.
-	    (Note that <command>dnssec-enable</command> must also be
-	    <userinput>yes</userinput> (the default value) for signatures
-	    to be returned along with validated data. If validation is
-	    enabled while <command>dnssec-enable</command> is set to
-	    <userinput>no</userinput>, the server will validate internally,
-	    but will not supply clients with the necessary records to allow
-	    validity to be confirmed.)
 	  </para>
 	</listitem>
       </varlistentry>

doc/arm/Bv9ARM-book.xml

@@ -2194,12 +2194,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
       </section>
 
       <section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
-	<para>
-	  To enable <command>named</command> to respond appropriately
-	  to DNS requests from DNSSEC-aware clients,
-	  <command>dnssec-enable</command> must be set to
-	  <userinput>yes</userinput>. This is the default setting.
-	</para>
 	<para>
 	  To enable <command>named</command> to validate answers
 	  received from other servers, the
@@ -2230,17 +2224,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  built with <command>configure --disable-auto-validation</command>,
 	  in which case the default is <userinput>yes</userinput>.
 	</para>
-	<para>
-	  If <command>dnssec-enable</command> is set to
-	  <userinput>no</userinput>, then the default for
-	  <command>dnssec-validation</command> is also changed to
-	  <userinput>no</userinput>. If
-	  <command>dnssec-validation</command> is set to
-	  <userinput>yes</userinput>, the server will
-	  perform DNSSEC validation internally, but will not return
-	  signatures when queried - but it will not be turned on
-	  automatically.
-	</para>
 
 	<para>
 	  <command>trusted-keys</command> are copies of DNSKEY RRs
@@ -2329,7 +2312,6 @@ trusted-keys {
 
 options {
 	...
-	dnssec-enable yes;
 	dnssec-validation yes;
 };
 </programlisting>
@@ -6379,12 +6361,7 @@ options {
 	      <term><command>dnssec-enable</command></term>
 	      <listitem>
 		<para>
-		  This indicates whether DNSSEC-related resource
+		  This option is obsolete and has no effect.
-		  records are to be returned by <command>named</command>.
-		  If set to <userinput>no</userinput>,
-		  <command>named</command> will not return DNSSEC-related
-		  resource records unless specifically queried for.
-		  The default is <userinput>yes</userinput>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6393,10 +6370,8 @@ options {
 	      <term xml:id="dnssec_validation_term"><command>dnssec-validation</command></term>
 	      <listitem>
 		<para>
-		  This enables DNSSEC validation in <command>named</command>.
+		  This option enables DNSSEC validation in
-		  Note that <command>dnssec-enable</command> also needs to
+		  <command>named</command>.
-		  be set to <userinput>yes</userinput> for signatures to be
-		  returned to the client along with validated answers.
 		</para>
 	        <para>
 		  If set to <userinput>auto</userinput>,
@@ -6420,13 +6395,6 @@ options {
 		  BIND is built with
 		  <command>configure --disable-auto-validation</command>,
 		  in which case the default is <userinput>yes</userinput>.
-		  If <command>dnssec-enable</command> is set to
-		  <userinput>no</userinput>, then the default for
-		  <command>dnssec-validation</command> is also
-		  <userinput>no</userinput>. Validation can still be turned on
-		  if desired - this results in a server that performs DNSSEC
-		  validation but does not return signatures when queried -
-		  but it will not be turned on automatically.
 		</para>
 		<para>
 		  The default root trust anchor is stored in the file