Add inline-signing requirement to DNSSEC Guide

This change was made in !6403, but the appropriate documentation
changes were not applied to the DNSSEC Guide.

(cherry picked from commit 09522c8d73650b477960cc63ec420c72006a5829)

diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index ca66204e813ee1a218f7d211bb364773fb441f61..baf6755153969b1ede0554a890759b91c3ae560c 100644 (file)
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -66,6 +66,7 @@ To sign a zone, add the following statement to its
    zone "example.com" in {
        ...
        dnssec-policy default;
+       inline-signing yes;
        ...
    };
 
@@ -77,6 +78,17 @@ for most situations. We cover the creation of a custom policy in
 :ref:`signing_custom_policy`, but for the moment we are accepting the
 default values.
 
+Using ``dnssec-policy`` requires dynamic DNS or ``inline-signing``
+to be enabled.
+
+.. note::
+
+   Previously, if a zone with a ``dnssec-policy`` did not have dynamic
+   DNS set up and ``inline-signing`` was not explicity set, BIND 9 used
+   inline-signing implicitly. But this caused a lot of problems when operators
+   switched on or off dynamic DNS for their zones. Therefor, you now have to
+   configure it explicitly.
+
 When the configuration file is updated, tell ``named`` to
 reload the configuration file by running ``rndc reconfig``:
 
@@ -1525,9 +1537,8 @@ repeated here. A few points are worth noting, though:
    With ``dnssec-keymgr``, this is split between two configuration files
    and two programs.
 
--  When using ``dnssec-policy``, there is no need to set the
-   ``auto-dnssec`` and ``inline-signing`` options for a zone. The zone's
-   ``policy`` statement implicitly does this.
+-  The ``dnssec-policy`` statement requires to zone to use dynamic DNS,
+   or that ``inline-signing`` is enabled.
 
 -  It is possible to manage some zones served by an instance of BIND
    through ``dnssec-policy`` and others through ``dnssec-keymgr``, but