From d1a01d88f992da30d2a93d968d58a8201ba5c3f3 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 27 Sep 2022 11:57:53 +0200 Subject: [PATCH] Update inline-signing requirement to ARM This change was made in !6403, but the appropriate documentation changes were not applied to the ARM. (cherry picked from commit 5d454a715876f8524e11acfbccfd1292c3fbedfa) --- doc/arm/reference.rst | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 9204b74ed6..9e20e4064c 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6339,12 +6339,16 @@ zone is generated even if they have the same policy. If multiple views are configured with different versions of the same zone, each separate version uses the same set of signing keys. -By default, :any:`dnssec-policy` assumes :any:`inline-signing`. This means that -a signed version of the zone is maintained separately and is written out to -a different file on disk (the zone's filename plus a ``.signed`` extension). +The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or +:any:`inline-signing` to be enabled. + +If :any:`inline-signing` is enabled, this means that a signed version of the +zone is maintained separately and is written out to a different file on disk +(the zone's filename plus a ``.signed`` extension). If the zone is dynamic because it is configured with an :any:`update-policy` or -:any:`allow-update`, the DNSSEC records are written to the filename set in the original zone's :any:`file`, unless :any:`inline-signing` is explicitly set. +:any:`allow-update`, the DNSSEC records are written to the filename set in the +original zone's :any:`file`, unless :any:`inline-signing` is explicitly set. Key rollover timing is computed for each key according to the key lifetime defined in the KASP. The lifetime may be modified by zone TTLs