From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 8 Oct 2025 07:44:54 +0000 (+0200)
Subject: Add dnssec-policy text for dnssec-importkey
X-Git-Tag: v9.21.15~71^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4df536e0dc2194cb14fd976887c604a08cbc158c;p=thirdparty%2Fbind9.git

Add dnssec-policy text for dnssec-importkey

You should not use dnssec-importkey to import DNSKEY records from
other providers (for example when setting up multi-signer).

Clarify this in the manpage.
---

diff --git a/bin/dnssec/dnssec-importkey.rst b/bin/dnssec/dnssec-importkey.rst
index 8f6a6b3a11c..fec8eb55503 100644
--- a/bin/dnssec/dnssec-importkey.rst
+++ b/bin/dnssec/dnssec-importkey.rst
@@ -40,6 +40,11 @@ possible to set publication (:option:`-P`) and deletion (:option:`-D`) times for
 key, which means the public key can be added to and removed from the
 DNSKEY RRset on schedule even if the true private key is stored offline.
 
+When using ``dnssec-policy``, do not use :program:`dnssec-importkey` to
+import key files that cannot be used for signing. In this case, simply publish the
+imported DNSKEY record in the zone, and make sure that the files are outside
+the configured ``key-directory``.
+
 Options
 ~~~~~~~