From 4efd3bc1f4349ff46f7a6f2d357b803a41f271f0 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 4 Sep 2025 09:45:11 +0200
Subject: [PATCH] Document rndc dnssec -step

This documentation was missing from !10774.

(cherry picked from commit b1a9ce710409cd6df55c58ba1e693125cfa7147f)
---
 bin/rndc/rndc.rst | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst
index 0cb54dce7e..6ffd32fe49 100644
--- a/bin/rndc/rndc.rst
+++ b/bin/rndc/rndc.rst
@@ -171,7 +171,7 @@ Currently supported commands are:
 
    See also :option:`rndc addzone` and :option:`rndc modzone`.
 
-.. option:: dnssec (-status | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
+.. option:: dnssec (-status | -step | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
 
    This command allows you to interact with the "dnssec-policy" of a given
    zone.
@@ -179,6 +179,13 @@ Currently supported commands are:
    ``rndc dnssec -status`` show the DNSSEC signing state for the specified
    zone.
 
+   ``rndc dnssec -step`` sends a signal to an instance of :iscman:`named` for a
+   zone configured with ``dnssec-policy`` in manual mode, telling it to
+   continue with the operations that had previously been blocked but logged.
+   This gives the human operator a chance to review the log messages,
+   understand what will happen next and then, using ``rndc dnssec -step``, to
+   inform :iscman:`named` to proceed to the next stage.
+
    ``rndc dnssec -rollover`` allows you to schedule key rollover for a
    specific key (overriding the original key lifetime).