From 97cc940286622271b2ef30e4237a8f96a909a9ac Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 8 Oct 2025 09:44:54 +0200 Subject: [PATCH] Add dnssec-policy text for dnssec-importkey You should not use dnssec-importkey to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage. (cherry picked from commit 4df536e0dc2194cb14fd976887c604a08cbc158c) --- bin/dnssec/dnssec-importkey.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/dnssec/dnssec-importkey.rst b/bin/dnssec/dnssec-importkey.rst index 8f6a6b3a11..fec8eb5550 100644 --- a/bin/dnssec/dnssec-importkey.rst +++ b/bin/dnssec/dnssec-importkey.rst @@ -40,6 +40,11 @@ possible to set publication (:option:`-P`) and deletion (:option:`-D`) times for key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline. +When using ``dnssec-policy``, do not use :program:`dnssec-importkey` to +import key files that cannot be used for signing. In this case, simply publish the +imported DNSKEY record in the zone, and make sure that the files are outside +the configured ``key-directory``. + Options ~~~~~~~