Clarify rndc sign

It was not explicitly clear that 'rndc sign' replaces signatures of inactive keys and updates signatures that are not so fresh. (cherry picked from commit 3f52303ef7)
2026-06-10 12:40:00 -04:00 · 2025-08-26 13:58:59 +02:00 · 2025-08-26 13:58:59 +02:00 · aec7f3586e
commit aec7f3586e
parent 7861d0264c
1 changed files with 5 additions and 7 deletions
--- a/bin/rndc/rndc.rst
+++ b/bin/rndc/rndc.rst
@ -277,9 +277,7 @@ Currently supported commands are:
   immediately re-signed by the new keys, but is allowed to
   incrementally re-sign over time.

-   This command requires that the zone be configured with a ``dnssec-policy``, and
-   also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
-   Update Policies" in the Administrator Reference Manual for more details.)
+   This command requires that the zone be configured with a ``dnssec-policy``.

 .. option:: managed-keys (status | refresh | sync | destroy) [class [view]]

@ -549,11 +547,11 @@ Currently supported commands are:
   the ``key-directory`` option in the BIND 9 Administrator Reference
   Manual). If they are within their publication period, they are merged into
   the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the
-   zone is automatically re-signed with the new key set.
+   zone is automatically re-signed with the new key set. This will replace signatures
+   of inactive keys with signatures from active keys, and update signatures that
+   expire within the refresh interval.

-   This command requires that the zone be configured with a ``dnssec-policy``, and
-   also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
-   Update Policies" in the Administrator Reference Manual for more details.)
+   This command requires that the zone be configured with a ``dnssec-policy``.

   See also :option:`rndc loadkeys`.