docs: Add warning on empty bind-dnssec-db for slave operation

I fell right into the pitfall of configuring a slave with the BIND
backend, serving presigned records, assuming it will serve the RRSIGs
just fine, but no, my domain went bogus. This was documented, but
not as clearly as I hoped for, this commit improves the documentation
regarding that.

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index c2e517fc3e660e68c10ee1483b12db19dc17ef0a..1ba207058e737c8d9eccf187b50612ae209d851f 100644 (file)
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -73,6 +73,11 @@ slave DNSSEC-enabled domains (where the RRSIGS are in the AXFR), a
 :ref:`metadata-presigned` domain metadata is set
 during the zonetransfer.
 
+.. warning::
+   If this is left empty on slaves and a presigned zone is transferred,
+   it will (silently) serve it without DNSSEC. This in turn results in
+   serving the domain as bogus.
+
 .. _setting-bind-hybrid:
 
 ``bind-hybrid``