update man page for dnssec-signzone

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 017d7881bd78a9f544bbeac5b7aad9744782bb05..9e4b00f563deba273a1bff2e000c730e656278a7 100644 (file)
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-signzone.html,v 1.94.14.10 2009/06/08 22:23:07 each Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.94.14.11 2009/06/09 02:47:43 each Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608094"></a><h2>DESCRIPTION</h2>
+<a name="id306704"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608114"></a><h2>OPTIONS</h2>
+<a name="id306727"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -276,7 +276,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659164"></a><h2>EXAMPLE</h2>
+<a name="id307453"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -305,14 +305,39 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659237"></a><h2>SEE ALSO</h2>
+<a name="id307535"></a><h2>KNOWN BUGS</h2>
+<p>
+        <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
+        sign a zone partially, using only a subset of the DNSSEC keys
+        needed to produce a fully-signed zone.  This permits a zone
+        administrator, for example, to sign a zone with one key on one
+        machine, move the resulting partially-signed zone to a second
+        machine, and sign it again with a second key.
+    </p>
+<p>
+        An unfortunate side-effect of this flexibility is that
+        <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
+        it's signing a zone with any valid keys at all.  An attempt to
+        sign a zone without any keys will appear to succeed, producing
+        a "signed" zone with no signatures.  There is no warning issued
+        when a zone is not fully signed.
+    </p>
+<p>
+        This will be corrected in a future release.  In the meantime, ISC
+        recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
+        to confirm that the zone is properly signed by all keys before
+        using it.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id307579"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659330"></a><h2>AUTHOR</h2>
+<a name="id307606"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>