Add documentation

diff --git a/docs/dnsupdate.rst b/docs/dnsupdate.rst
index f1f946fa680fd96221715fe9d4aadf0f6e8c94d7..d6e0f72efb63c36568a96d896d3a34eba6b392f4 100644 (file)
--- a/docs/dnsupdate.rst
+++ b/docs/dnsupdate.rst
@@ -46,6 +46,13 @@ combination with the ``ALLOW-DNSUPDATE-FROM`` :doc:`domain metadata <domainmetad
 zone. Setting a range here and in ``ALLOW-DNSUPDATE-FROM`` enables updates
 from either address range.
 
+``dnsupdate-require-tsig``
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A setting to require DNS updates to be signed by a valid TSIG signature.
+The default is no, which means zones without TSIG keys can be updated by
+unauthenticated agents operating from an allowed address range.
+
 ``forward-dnsupdate``
 ~~~~~~~~~~~~~~~~~~~~~
 
@@ -152,6 +159,7 @@ both requirements need to be satisfied before an update will be accepted.
 By default, an update can add, update or delete any resource records in
 the zone.  See :ref:`dnsupdate-update-policy` for finer-grained
 control of what an update is allowed to do.
+Use :ref:`setting-dnsupdate-require-tsig` to disallow unsigned updates.
 
 .. _metadata-forward-dnsupdate:
 

diff --git a/docs/settings.rst b/docs/settings.rst
index 4d191681e67c4e31dc472c051152cc1e9d8e285f..66cfa9754e5ef27a10b851714063f45a821a4b40 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -654,6 +654,16 @@ caching.
 
 Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more.
 
+.. _setting-dnsupdate-require-tsig:
+
+``dnsupdate-require-tsig``
+-------------
+
+-  Boolean
+-  Default: no
+
+Requires DNS updates to be signed by a valid TSIG signature even if the zone has no associated keys.
+
 .. _setting-do-ipv6-additional-processing:
 
 ``do-ipv6-additional-processing``