Clarify rndc sign

It was not explicitly clear that 'rndc sign' replaces signatures of inactive keys and updates signatures that are not so fresh.
2025-12-20 00:55:29 +08:00 · 2025-08-26 13:58:59 +02:00
parent 9c0a657a6f
commit ed2ab3b5a5
1 changed files with 5 additions and 7 deletions
--- a/bin/rndc/rndc.rst
+++ b/bin/rndc/rndc.rst
@@ -303,9 +303,7 @@ Currently supported commands are:
   immediately re-signed by the new keys, but is allowed to
   incrementally re-sign over time.

-   This command requires that the zone be configured with a ``dnssec-policy``, and
-   also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
-   Update Policies" in the Administrator Reference Manual for more details.)
+   This command requires that the zone be configured with a ``dnssec-policy``.

 .. option:: managed-keys (status | refresh | sync | destroy) [class [view]]

@@ -596,11 +594,11 @@ Currently supported commands are:
   the ``key-directory`` option in the BIND 9 Administrator Reference
   Manual). If they are within their publication period, they are merged into
   the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the
-   zone is automatically re-signed with the new key set.
+   zone is automatically re-signed with the new key set. This will replace signatures
+   of inactive keys with signatures from active keys, and update signatures that
+   expire within the refresh interval.

-   This command requires that the zone be configured with a ``dnssec-policy``, and
-   also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
-   Update Policies" in the Administrator Reference Manual for more details.)
+   This command requires that the zone be configured with a ``dnssec-policy``.

   See also :option:`rndc loadkeys`.