From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 17:37:08 +0000 (+0200)
Subject: docs: Add warning on empty bind-dnssec-db for slave operation
X-Git-Tag: rec-4.2.0-rc1~45^2~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=168c57013b81fd0c42637dedf4843ac04547ea80;p=thirdparty%2Fpdns.git

docs: Add warning on empty bind-dnssec-db for slave operation

I fell right into the pitfall of configuring a slave with the BIND
backend, serving presigned records, assuming it will serve the RRSIGs
just fine, but no, my domain went bogus. This was documented, but
not as clearly as I hoped for, this commit improves the documentation
regarding that.
---

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index c2e517fc3e..1ba207058e 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -73,6 +73,11 @@ slave DNSSEC-enabled domains (where the RRSIGS are in the AXFR), a
 :ref:`metadata-presigned` domain metadata is set
 during the zonetransfer.
 
+.. warning::
+   If this is left empty on slaves and a presigned zone is transferred,
+   it will (silently) serve it without DNSSEC. This in turn results in
+   serving the domain as bogus.
+
 .. _setting-bind-hybrid:
 
 ``bind-hybrid``