diff --git a/CHANGES b/CHANGES index 9c9d25c860..1c3d065321 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2810. [doc] Clarified the process of transitioning an NSEC3 zone + to insecure. [RT #20746] + 2809. [cleanup] Restored accidentally-deleted text in usage output in dnssec-settime and dnssec-revoke [RT #20739] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 510e4cc5b7..b0eb2fbed0 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -6616,9 +6616,26 @@ options { dnssec-secure-to-insecure - Allow a zone to transition from secure to insecure by - deleting all DNSKEY records. The default is - no. + Allow a dynamic zone to transition from secure to + insecure (i.e., signed to unsigned) by deleting all + of the DNSKEY records. The default is no. + If set to yes, and if the DNSKEY RRset + at the zone apex is deleted, all RRSIG and NSEC records + will be removed from the zone as well. + + + If the zone uses NSEC3, then it is also necessary to + delete the NSEC3PARAM RRset from the zone apex; this will + cause the removal of all corresponding NSEC3 records. + (It is expected that this requirement will be eliminated + in a future release.) + + + Note that if a zone has been configured with + auto-dnssec maintain and the + private keys remain accessible in the key repository, + then the zone will be automatically signed again the + next time named is started.