upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-12 05:32:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove redundant inline-signing lines from docs

Browse source 
Now that inline-signing is explicitly set in dnssec-policy, remove
the redundant "inline-signing yes;" lines from the documentation.
This commit is contained in:
Matthijs Mekking 2022-12-09 12:36:38 +01:00
parent 62ddc3dca0
commit 1e0f77b349
4 changed files with 3 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
doc/arm/dnssec.inc.rst
View file

@ -98,11 +98,11 @@ up-to-date DNSSEC practices:
type primary;
file "dnssec.example.db";
dnssec-policy default;
inline-signing yes;
};
The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or
:any:`inline-signing` to be enabled. In the example above we use the latter.
:any:`inline-signing` to be enabled. In the example above we use the latter,
because the ``default`` policy uses :any:`inline-signing`.
This is sufficient to create the necessary signing keys, and generate
``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
@ -174,7 +174,6 @@ by configuring parental agents:
type primary;
file "dnssec.example.db";
dnssec-policy default;
inline-signing yes;
parental-agents { 192.0.2.1; };
checkds explicit;
};

2
doc/arm/reference.rst
View file

@ -6086,7 +6086,7 @@ zone is maintained separately and is written out to a different file on disk
If the zone is dynamic because it is configured with an :any:`update-policy` or
:any:`allow-update`, the DNSSEC records are written to the filename set in the
original zone's :any:`file`, unless :any:`inline-signing` is explicitly set.
original zone's :any:`file`, unless :any:`inline-signing` is enabled.
Key rollover timing is computed for each key according to the key
lifetime defined in the KASP. The lifetime may be modified by zone TTLs

4
doc/dnssec-guide/recipes.rst
View file

@ -63,7 +63,6 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1
file "db/example.com.db";
key-directory "keys/example.com";
dnssec-policy default;
inline-signing yes;
allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
};
@ -143,7 +142,6 @@ signed data via zone transfer to the other three DNS secondaries. Its
file "db/example.com.db";
key-directory "keys/example.com";
dnssec-policy default;
inline-signing yes;
allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
};
@ -997,7 +995,6 @@ Here is what :iscman:`named.conf` looks like when it is signed:
type primary;
file "db/example.com.db";
dnssec-policy "default";
inline-signing yes;
};
To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
@ -1009,7 +1006,6 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
type primary;
file "db/example.com.db";
dnssec-policy "insecure";
inline-signing yes;
};
Then use :option:`rndc reload` to reload the zone.

11
doc/dnssec-guide/signing.rst
View file

@ -66,7 +66,6 @@ To sign a zone, add the following statement to its
zone "example.com" in {
...
dnssec-policy default;
inline-signing yes;
...
};
@ -81,14 +80,6 @@ default values.
Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing`
to be enabled.
.. note::
Previously, if a zone with a :any:`dnssec-policy` did not have dynamic
DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used
inline-signing implicitly. But this caused a lot of problems when operators
switched on or off dynamic DNS for their zones. Therefor, you now have to
configure it explicitly.
When the configuration file is updated, tell :iscman:`named` to
reload the configuration file by running :option:`rndc reconfig`:
@ -832,7 +823,6 @@ this example, we'll add it to the :any:`zone` statement:
zone "example.net" in {
...
dnssec-policy standard;
inline-signing yes;
...
};
@ -914,7 +904,6 @@ presence. Let's look at the following configuration excerpt:
zone "example.net" in {
...
dnssec-policy standard;
inline-signing yes;
parental-agents { "net"; };
checkds explicit;
...