From: Petr Špaček Date: Tue, 21 Jun 2022 13:08:17 +0000 (+0200) Subject: Mention zone storage in the DNSSEC chapter X-Git-Tag: v9.19.3~30^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=146c125988bbfcb8e4024313f21014b7be5c77d6;p=thirdparty%2Fbind9.git Mention zone storage in the DNSSEC chapter Let's not duplicate texts, link to description elsewhere instead. --- diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index 99515b492b8..dab187f0289 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -106,17 +106,9 @@ This single line is sufficient to create the necessary signing keys, and generat care of any DNSSEC maintenance for this zone, including replacing signatures that are about to expire and managing :ref:`key_rollovers`. -**TODO:** -The original zone file :file:`dnssec.example.db` remains untouched and the -signed version of the zone is stored on disk in :file:`dnssec.example.db.signed`. -When setting a ``dnssec-policy`` for a zone, it typically creates a new file -with a ``.signed`` extension on disk, while the original zone file stays -untouched. This is called inline signing. - -DNSSEC configuration works slightly differently for dynamic zones. DNSSEC-related -records are applied directly to zones with an update ACL or update -policy, similarly to non-DNSSEC records, instead of storing them in a file with a -``.signed`` extension. +.. note:: + ``dnssec-policy`` needs write access to the zone. Please see + :ref:`dnssec_policy` for more details about implications for zone storage. The default policy creates one key that is used to sign the complete zone, and uses ``NSEC`` to enable authenticated denial of existence (a secure way