Add inline-signing requirement to DNSSEC Guide

This change was made in !6403, but the appropriate documentation
changes were not applied to the DNSSEC Guide.

(cherry picked from commit 09522c8d73650b477960cc63ec420c72006a5829)

diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index 7fb8e147deba5d437d5d5a48063a80fb73dbc862..d1175cdb0acd6795df2ea8a4d2998f461b8205c6 100644 (file)
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -66,6 +66,7 @@ To sign a zone, add the following statement to its
    zone "example.com" in {
        ...
        dnssec-policy default;
+       inline-signing yes;
        ...
    };
 
@@ -77,6 +78,17 @@ for most situations. We cover the creation of a custom policy in
 :ref:`signing_custom_policy`, but for the moment we are accepting the
 default values.
 
+Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing`
+to be enabled.
+
+.. note::
+
+   Previously, if a zone with a :any:`dnssec-policy` did not have dynamic
+   DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used
+   inline-signing implicitly. But this caused a lot of problems when operators
+   switched on or off dynamic DNS for their zones. Therefor, you now have to
+   configure it explicitly.
+
 When the configuration file is updated, tell :iscman:`named` to
 reload the configuration file by running :option:`rndc reconfig`:
 
@@ -1358,9 +1370,8 @@ repeated here. A few points are worth noting, though:
 -  The :any:`dnssec-policy` statement in the :iscman:`named` configuration file
    describes all aspects of the DNSSEC policy, including the signing.
 
--  When using :any:`dnssec-policy`, there is no need to set the
-   :any:`auto-dnssec` and :any:`inline-signing` options for a zone. The zone's
-   ``policy`` statement implicitly does this.
+-  The :any:`dnssec-policy` statement requires to zone to use dynamic DNS,
+   or that :any:`inline-signing` is enabled.
 
 .. _advanced_discussions_manual_key_management_and_signing: