Document rndc dnssec -step

This documentation was missing from !10774.

(cherry picked from commit b1a9ce710409cd6df55c58ba1e693125cfa7147f)

diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst
index 0cb54dce7e4ec2313b2a04499a082a176f62c297..6ffd32fe49ea961e2d1cdf988a7944bf9a22c46d 100644 (file)
--- a/bin/rndc/rndc.rst
+++ b/bin/rndc/rndc.rst
@@ -171,7 +171,7 @@ Currently supported commands are:
 
    See also :option:`rndc addzone` and :option:`rndc modzone`.
 
-.. option:: dnssec (-status | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
+.. option:: dnssec (-status | -step | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
 
    This command allows you to interact with the "dnssec-policy" of a given
    zone.
@@ -179,6 +179,13 @@ Currently supported commands are:
    ``rndc dnssec -status`` show the DNSSEC signing state for the specified
    zone.
 
+   ``rndc dnssec -step`` sends a signal to an instance of :iscman:`named` for a
+   zone configured with ``dnssec-policy`` in manual mode, telling it to
+   continue with the operations that had previously been blocked but logged.
+   This gives the human operator a chance to review the log messages,
+   understand what will happen next and then, using ``rndc dnssec -step``, to
+   inform :iscman:`named` to proceed to the next stage.
+
    ``rndc dnssec -rollover`` allows you to schedule key rollover for a
    specific key (overriding the original key lifetime).