diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index f3d364db2d..732e2debd5 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -98,11 +98,11 @@ up-to-date DNSSEC practices: type primary; file "dnssec.example.db"; dnssec-policy default; - inline-signing yes; }; The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or -:any:`inline-signing` to be enabled. In the example above we use the latter. +:any:`inline-signing` to be enabled. In the example above we use the latter, +because the ``default`` policy uses :any:`inline-signing`. This is sufficient to create the necessary signing keys, and generate ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes @@ -174,7 +174,6 @@ by configuring parental agents: type primary; file "dnssec.example.db"; dnssec-policy default; - inline-signing yes; parental-agents { 192.0.2.1; }; checkds explicit; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 883e475646..96a7ebb6b0 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6086,7 +6086,7 @@ zone is maintained separately and is written out to a different file on disk If the zone is dynamic because it is configured with an :any:`update-policy` or :any:`allow-update`, the DNSSEC records are written to the filename set in the -original zone's :any:`file`, unless :any:`inline-signing` is explicitly set. +original zone's :any:`file`, unless :any:`inline-signing` is enabled. Key rollover timing is computed for each key according to the key lifetime defined in the KASP. The lifetime may be modified by zone TTLs diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index ea24dc6650..e961584d61 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -63,7 +63,6 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1 file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; - inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -143,7 +142,6 @@ signed data via zone transfer to the other three DNS secondaries. Its file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; - inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -997,7 +995,6 @@ Here is what :iscman:`named.conf` looks like when it is signed: type primary; file "db/example.com.db"; dnssec-policy "default"; - inline-signing yes; }; To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: @@ -1009,7 +1006,6 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: type primary; file "db/example.com.db"; dnssec-policy "insecure"; - inline-signing yes; }; Then use :option:`rndc reload` to reload the zone. diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index 3531651ad9..b8f0ebaf54 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -66,7 +66,6 @@ To sign a zone, add the following statement to its zone "example.com" in { ... dnssec-policy default; - inline-signing yes; ... }; @@ -81,14 +80,6 @@ default values. Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing` to be enabled. -.. note:: - - Previously, if a zone with a :any:`dnssec-policy` did not have dynamic - DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used - inline-signing implicitly. But this caused a lot of problems when operators - switched on or off dynamic DNS for their zones. Therefor, you now have to - configure it explicitly. - When the configuration file is updated, tell :iscman:`named` to reload the configuration file by running :option:`rndc reconfig`: @@ -832,7 +823,6 @@ this example, we'll add it to the :any:`zone` statement: zone "example.net" in { ... dnssec-policy standard; - inline-signing yes; ... }; @@ -914,7 +904,6 @@ presence. Let's look at the following configuration excerpt: zone "example.net" in { ... dnssec-policy standard; - inline-signing yes; parental-agents { "net"; }; checkds explicit; ...