Add inline-signing to config examples

Add 'inline-signing yes;' to configuration examples to have working
copy paste configurations.

(cherry picked from commit b13a0c8836d2d8bc5b4de1cdfcdb2057c0bb9d93)

diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
index 107e592aefebc9562a3f75bd201c26654904b3e4..f2b66aa31986bf06fc73a40742d198d913f9925f 100644 (file)
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@@ -99,9 +99,13 @@ up-to-date DNSSEC practices:
         type primary;
         file "dnssec.example.db";
         dnssec-policy default;
+        inline-signing yes;
     };
 
-This single line is sufficient to create the necessary signing keys, and generate
+The ``dnssec-policy`` statement requires dynamic DNS to be set up, or
+``inline-signing`` to be enabled. In the example above we use the latter.
+
+This is sufficient to create the necessary signing keys, and generate
 ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
 care of any DNSSEC maintenance for this zone, including replacing signatures
 that are about to expire and managing :ref:`key_rollovers`.
@@ -171,6 +175,7 @@ by configuring parental agents:
         type primary;
         file "dnssec.example.db";
         dnssec-policy default;
+        inline-signing yes;
         parental-agents { 192.0.2.1; };
     };
 

diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst
index 54b94ecab7a05199580c8f8e300c23b3ad58eeac..a4bdffaa0aae5b8c126eba9a267185c4323d37bc 100644 (file)
--- a/doc/dnssec-guide/recipes.rst
+++ b/doc/dnssec-guide/recipes.rst
@@ -63,6 +63,7 @@ what the ``named.conf`` zone statement looks like on the primary server, 192.168
        file "db/example.com.db";
        key-directory "keys/example.com";
        dnssec-policy default;
+       inline-signing yes;
        allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
    };
 
@@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its
        file "db/example.com.db";
        key-directory "keys/example.com";
        dnssec-policy default;
+       inline-signing yes;
        allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
    };
 
@@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed:
        type primary;
        file "db/example.com.db";
        dnssec-policy "default";
+       inline-signing yes;
    };
 
 To indicate the reversion to unsigned, change the ``dnssec-policy`` line:
@@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the ``dnssec-policy`` line:
        type primary;
        file "db/example.com.db";
        dnssec-policy "insecure";
+       inline-signing yes;
    };
 
 Then use :option:`rndc reload` to reload the zone.

diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index baf6755153969b1ede0554a890759b91c3ae560c..9bd537199fe4919ff615c5baacb7a3aa5f29c70c 100644 (file)
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -835,6 +835,7 @@ this example, we'll add it to the ``zone`` statement:
    zone "example.net" in {
        ...
        dnssec-policy standard;
+       inline-signing yes;
        ...
    };
 
@@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt:
    zone "example.net" in {
        ...
        dnssec-policy standard;
+       inline-signing yes;
        parental-agents { "net"; };
        ...
    };