A bit more cleanup in the dnssec-keygen manual

Remove another remnant of shared secret HMAC-MD5 support. Explain that with currently recommended setups DNSKEY records are inserted automatically, but you can still use $INCLUDE in other cases.
2026-06-11 12:20:00 -04:00 · 2019-03-13 15:47:31 +00:00 · 2019-03-13 15:47:31 +00:00 · acc3fa04b7
commit acc3fa04b7
parent 48a7efafc2
2 changed files with 8 additions and 9 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
+
 5185.	[placeholder]

 5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@ -571,10 +571,12 @@
      key.
    </para>
    <para>
-      The <filename>.key</filename> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
+      The <filename>.key</filename> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <command>named</command>
+      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
+      records are included automatically. In other cases,
+      the <filename>.key</filename> file can be inserted into a zone file
+      manually or with a <userinput>$INCLUDE</userinput> statement.
    </para>
    <para>
      The <filename>.private</filename> file contains
@ -582,11 +584,6 @@
      fields.  For obvious security reasons, this file does not have
      general read permission.
    </para>
-    <para>
-      Both <filename>.key</filename> and <filename>.private</filename>
-      files are generated for symmetric cryptography algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </para>
  </refsection>

  <refsection><info><title>EXAMPLE</title></info>