- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.41 2009/10/12 20:48:10 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.42 2009/10/12 23:02:31 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
<listitem>
<para>
Only sign the DNSKEY RRset with key-signing keys, and omit
- signatures from zone-signing keys.
+ signatures from zone-signing keys. (This is similar to the
+ <command>dnskey-ksk-only yes;</command> zone option in
+ <command>named</command>.)
</para>
</listitem>
</varlistentry>
<para>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
- DNSKEY RRset.
+ DNSKEY RRset. (This is similar to the
+ <command>update-check-ksk no;</command> zone option in
+ <command>named</command>.)
</para>
</listitem>
</varlistentry>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.434 2009/10/12 22:54:54 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.435 2009/10/12 23:02:32 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
used to sign the DNSKEY RRset at the zone apex.
However, if this option is set to <literal>no</literal>,
then the KSK bit is ignored; KSKs are treated as if they
- were ZSKs and are used to sign the entire zone.
+ were ZSKs and are used to sign the entire zone. This is
+ similar to the <command>dnssec-signzone -z</command>
+ command line option.
</para>
<para>
When this option is set to <literal>yes</literal>, there
to sign the DNSKEY RRset at the zone apex. Zone-signing
keys (keys without the KSK bit set) will be used to sign
the remainder of the zone, but not the DNSKEY RRset.
+ This is similar to the
+ <command>dnssec-signzone -x</command> command line option.
+ </para>
+ <para>
The default is <command>no</command>. If
<command>update-check-ksk</command> is set to
<literal>no</literal>, this option is ignored.
projects / thirdparty / bind9.git / commitdiff
