From: Aram Sargsyan <aram@isc.org>
Date: Wed, 24 Jan 2024 14:45:29 +0000 (+0000)
Subject: Document a specific 'dnssec-validation yes' usage incompatibility
X-Git-Tag: v9.19.22~61^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=85f966a8f6795ae934d55ad07159277b3bbd91a2;p=thirdparty%2Fbind9.git

Document a specific 'dnssec-validation yes' usage incompatibility

Static trust anchor for the root zone can not be used with
'dnssec-validation auto'.
---

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 57931b9a6bb..14bedfaea01 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2572,7 +2572,10 @@ Boolean Options
    If set to ``auto``, DNSSEC validation is enabled and a default trust
    anchor for the DNS root zone is used. This trust anchor is provided
    as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key
-   management.
+   management. Adding an explicit static key using the :any:`trust-anchors`
+   statement with a ``static-key`` anchor type (or using the deprecated
+   :any:`trusted-keys` statement) for the root zone is not supported with the
+   ``auto`` setting, and is treated as a configuration error.
 
    If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be
    manually configured using a :any:`trust-anchors` statement (or the