Merge branch 'u/fanf2/man-dnssec-keygen-again-v9_14' into 'v9_14'

A bit more cleanup in the dnssec-keygen manual

See merge request isc-projects/bind9!1684

CHANGES

@@ -1,3 +1,5 @@
+5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
+
 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
 
 5183.	[bug]		Reinitialize ECS data before reusing client

bin/dnssec/dnssec-keygen.docbook

@@ -571,10 +571,12 @@
       key.
     </para>
     <para>
-      The <filename>.key</filename> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
+      The <filename>.key</filename> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <command>named</command>
+      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
+      records are included automatically. In other cases,
+      the <filename>.key</filename> file can be inserted into a zone file
+      manually or with a <userinput>$INCLUDE</userinput> statement.
     </para>
     <para>
       The <filename>.private</filename> file contains
@@ -582,11 +584,6 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </para>
-    <para>
-      Both <filename>.key</filename> and <filename>.private</filename>
-      files are generated for symmetric cryptography algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </para>
   </refsection>
 
   <refsection><info><title>EXAMPLE</title></info>