From 3c87233985cc235d01c6891fd2e2870b5e80d010 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 25 Dec 2013 14:13:46 +0100
Subject: [PATCH] add direct-dnskey to doc

---
 pdns/docs/pdns.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index b639cbbb04..48182f50b3 100644
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -13237,6 +13237,14 @@ $ pdnssec rectify-zone powerdnssec.org
   </para>
   </section>
 </section>
+  <section id="dnssec-transfers"><title>Secure transfers</title>
+  <para>
+    From 3.3.1. and up, PowerDNS support secure DNSSEC transfers as described in <ulink
+    url="https://ietf.org/doc/draft-koch-dnsop-dnssec-operator-change/">draft-koch-dnsop-dnssec-operator-change-05</ulink>.
+    If the direct-dnskey option is enabled the foreign DNSKEY records stored in the database are added to the keyset and signed
+    with the KSK. Without the direct-dnskey option DNSKEY records in the database are silently ignored.
+  </para>
+  </section>
   <section id="dnssec-security"><title>Security</title>
   <para>
     During typical PowerDNSSEC operation, the private part of the signing keys are 'online', which can be compared
@@ -15880,6 +15888,10 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
 	    <listitem><para>
 		TTL to use when none is provided.
 	      </para></listitem></varlistentry>
+	  <varlistentry><term>direct-dnskey=...</term>
+	    <listitem><para>
+		Read additional ZSKs from the records table/your BIND zonefile
+	      </para></listitem></varlistentry>
    	  <varlistentry><term>disable-axfr=...</term>
 	    <listitem><para>
 		Do not allow zone transfers. Before 2.9.10, this could be overridden by allow-axfr-ips.
-- 
2.47.2