From 2d1129c49bb9bc157345c0d503e135e5e9b36c27 Mon Sep 17 00:00:00 2001
From: Libor Peltan <libor.peltan@nic.cz>
Date: Fri, 13 Jan 2017 14:44:21 +0100
Subject: [PATCH] doc: mod-online-sign doc improved

---
 doc/man/knot.conf.5in | 24 ++++++++++++++++++++++++
 doc/modules.rst       |  7 +++++--
 doc/reference.rst     | 30 ++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index 5141375e89..769b119286 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -1213,6 +1213,30 @@ If enabled, query messages will be logged.
 If enabled, response messages will be logged.
 .sp
 \fIDefault:\fP on
+.SH MODULE ONLINE-SIGN
+.sp
+The module provides online DNSSEC signing. Instead of pre\-computing the zone signatures
+when the zone is loaded into the server or instead of loading an externally signed zone,
+the signatures are computed on\-the\-fly during answering.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mod\-online\-sign:
+  \- id: STR
+    policy: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A module identifier.
+.SS policy
+.sp
+A \fI\%reference\fP to DNSSEC signing policy. A special \fIdefault\fP
+value can be used for the default policy settings.
 .SH MODULE SYNTH-RECORD
 .sp
 This module is able to synthesize either forward or reverse records for the
diff --git a/doc/modules.rst b/doc/modules.rst
index a49d999779..d78dc932d9 100644
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -387,8 +387,11 @@ How to use the online signing module:
      - domain: example.com
        module: mod-online-sign/explicit
 
+  Or use manual policy in an analogous manner, see
+  :ref:`Manual key management<dnssec-manual-key-management>`.
+
   .. NOTE::
-     Only keystore, algorithm, zsk-size, and rrsig-lifetime policy items are
+     Only id, manual, keystore, algorithm, zsk-size, and rrsig-lifetime policy items are
      relevant to this module. If no rrsig-lifetime is configured, the
      default value is 25 hours.
 
@@ -424,7 +427,7 @@ Known issues:
 
 Limitations:
 
-* Only a Single-Type Signing scheme is supported.
+* Online-sign module always enforces Single-Type Signing scheme.
 
 * Only one active signing key can be used.
 
diff --git a/doc/reference.rst b/doc/reference.rst
index 183a23e463..36c0519b56 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1418,6 +1418,36 @@ If enabled, response messages will be logged.
 
 *Default:* on
 
+.. _Module online-sign:
+
+Module online-sign
+==================
+
+The module provides online DNSSEC signing. Instead of pre-computing the zone signatures
+when the zone is loaded into the server or instead of loading an externally signed zone,
+the signatures are computed on-the-fly during answering.
+
+::
+
+ mod-online-sign:
+   - id: STR
+     policy: STR
+
+.. _mod-online-sign_id:
+
+id
+--
+
+A module identifier.
+
+.. _mod-online-sign_policy:
+
+policy
+------
+
+A :ref:`reference<policy_id>` to DNSSEC signing policy. A special *default*
+value can be used for the default policy settings.
+
 .. _Module synth-record:
 
 Module synth-record
-- 
GitLab