Commit d0696586 authored by Evan Hunt's avatar Evan Hunt

remove references to dnssec-enable in the documentation

parent fd298a2d
......@@ -1078,13 +1078,6 @@
<para>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
(Note that <command>dnssec-enable</command> must also be
<userinput>yes</userinput> (the default value) for signatures
to be returned along with validated data. If validation is
enabled while <command>dnssec-enable</command> is set to
<userinput>no</userinput>, the server will validate internally,
but will not supply clients with the necessary records to allow
validity to be confirmed.)
</para>
</listitem>
</varlistentry>
......
......@@ -2194,12 +2194,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</section>
<section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
<para>
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC-aware clients,
<command>dnssec-enable</command> must be set to
<userinput>yes</userinput>. This is the default setting.
</para>
<para>
To enable <command>named</command> to validate answers
received from other servers, the
......@@ -2230,17 +2224,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
built with <command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
</para>
<para>
If <command>dnssec-enable</command> is set to
<userinput>no</userinput>, then the default for
<command>dnssec-validation</command> is also changed to
<userinput>no</userinput>. If
<command>dnssec-validation</command> is set to
<userinput>yes</userinput>, the server will
perform DNSSEC validation internally, but will not return
signatures when queried - but it will not be turned on
automatically.
</para>
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
......@@ -2329,7 +2312,6 @@ trusted-keys {
options {
...
dnssec-enable yes;
dnssec-validation yes;
};
</programlisting>
......@@ -6379,12 +6361,7 @@ options {
<term><command>dnssec-enable</command></term>
<listitem>
<para>
This indicates whether DNSSEC-related resource
records are to be returned by <command>named</command>.
If set to <userinput>no</userinput>,
<command>named</command> will not return DNSSEC-related
resource records unless specifically queried for.
The default is <userinput>yes</userinput>.
This option is obsolete and has no effect.
</para>
</listitem>
</varlistentry>
......@@ -6393,10 +6370,8 @@ options {
<term xml:id="dnssec_validation_term"><command>dnssec-validation</command></term>
<listitem>
<para>
This enables DNSSEC validation in <command>named</command>.
Note that <command>dnssec-enable</command> also needs to
be set to <userinput>yes</userinput> for signatures to be
returned to the client along with validated answers.
This option enables DNSSEC validation in
<command>named</command>.
</para>
<para>
If set to <userinput>auto</userinput>,
......@@ -6420,13 +6395,6 @@ options {
BIND is built with
<command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
If <command>dnssec-enable</command> is set to
<userinput>no</userinput>, then the default for
<command>dnssec-validation</command> is also
<userinput>no</userinput>. Validation can still be turned on
if desired - this results in a server that performs DNSSEC
validation but does not return signatures when queried -
but it will not be turned on automatically.
</para>
<para>
The default root trust anchor is stored in the file
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment