Add dnssec-policy text for dnssec-importkey

author Matthijs Mekking <matthijs@isc.org>

Wed, 8 Oct 2025 07:44:54 +0000 (09:44 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Fri, 10 Oct 2025 14:49:55 +0000 (16:49 +0200)
author Matthijs Mekking <matthijs@isc.org>
Wed, 8 Oct 2025 07:44:54 +0000 (09:44 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Fri, 10 Oct 2025 14:49:55 +0000 (16:49 +0200)
diff --git a/bin/dnssec/dnssec-importkey.rst b/bin/dnssec/dnssec-importkey.rst

index 8f6a6b3a11c5b62e1c301bac077294ac0eaa9cc3..fec8eb5550373f6590e8a0dcfee003792ee2e80b 100644 (file)
--- a/bin/dnssec/dnssec-importkey.rst
+++ b/bin/dnssec/dnssec-importkey.rst
@@ -40,6 +40,11 @@ possible to set publication (:option:`-P`) and deletion (:option:`-D`) times for
  key, which means the public key can be added to and removed from the
  DNSKEY RRset on schedule even if the true private key is stored offline.
  
+When using ``dnssec-policy``, do not use :program:`dnssec-importkey` to
+import key files that cannot be used for signing. In this case, simply publish the
+imported DNSKEY record in the zone, and make sure that the files are outside
+the configured ``key-directory``.
+
  Options
  ~~~~~~~
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 8 Oct 2025 07:44:54 +0000 (09:44 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Fri, 10 Oct 2025 14:49:55 +0000 (16:49 +0200)